ci(security): reduce workflows permissions

sxd · sxd · commit 0a1520199dd7 · 2025-05-27T12:14:15.000+02:00
Set by default the permission to read-all in all the workflows and add the proper permissions for the following workflows: * CI * release-please * Release Publish Artifacts closes #352 Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,9 +4,14 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   ci:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
     steps:
       - name: Cleanup Disk
         uses: jlumbroso/free-disk-space@v1.3.1
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -16,6 +16,8 @@ concurrency:
   group: "pages"
   cancel-in-progress: false
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -3,6 +3,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   release-publish-artifacts:
     runs-on: ubuntu-latest
