Add workflow-wide gh actions permissions (#608)

epszaw · web-flow · commit 655f7d354b12 · 2025-08-28T19:40:35.000+02:00
add workflow-wide permissions
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -5,9 +5,14 @@ on:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,9 +12,14 @@ on:
           - minor
           - patch
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,9 +4,14 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
+    permissions:
+      issues: write
     steps:
       - uses: actions/stale@v9
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     name: Rubocop
@@ -26,6 +29,8 @@ jobs:
   rspec:
     name: Rspec ruby-${{ matrix.ruby }}-oj-${{ matrix.oj }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: rubocop
     strategy:
       fail-fast: false
