fix gha permissions (#411)

k4leung4 · web-flow · commit 8780d3d7ab42 · 2025-05-27T18:46:22.000+02:00
Signed-off-by: Kenny Leung &lt;kleung@chainguard.dev&gt;
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -7,11 +7,15 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   action-lint:
     name: Action lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out code
diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml
@@ -7,11 +7,15 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   check:
     name: Boilerplate Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:
diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml
@@ -7,11 +7,15 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   donotsubmit:
     name: Do Not Submit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out code
diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
@@ -9,10 +9,14 @@ on:
   push:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Check out code onto GOPATH
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
@@ -9,11 +9,15 @@ on:
   push:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   gofmt:
     name: check gofmt
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -31,6 +35,8 @@ jobs:
   goimports:
     name: check goimports
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -46,6 +52,8 @@ jobs:
   golangci-lint:
     name: golangci-lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,6 +75,8 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out code
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -9,11 +9,15 @@ on:
   push:
     branches: [ 'main', 'release-*' ]
 
+permissions: {}
+
 jobs:
 
   verify:
     name: Verify Codegen
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     env:
       GOPATH: ${{ github.workspace }}
