fix: add workflow permissions (#3874)

thomasrockhu-codecov · web-flow · commit c728ddff170a · 2025-05-26T17:03:47.000Z
diff --git a/.github/workflows/cache_cleanup.yml b/.github/workflows/cache_cleanup.yml
@@ -4,6 +4,9 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
@@ -14,14 +17,14 @@ jobs:
       - name: Cleanup
         run: |
           gh extension install actions/gh-actions-cache
-          
+
           REPO=${{ github.repository }}
           BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
 
           echo "Fetching list of cache key"
           cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
 
-          ## Setting this to not fail the workflow while deleting cache keys. 
+          ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
           for cacheKey in $cacheKeysForPR
@@ -30,4 +33,4 @@ jobs:
           done
           echo "Done"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main, master]
 
+permissions:
+  contents: read
+
 jobs:
   enforce-license-compliance:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/self-hosted-release-pr.yml b/.github/workflows/self-hosted-release-pr.yml
@@ -7,6 +7,9 @@ on:
         description: 'Name of version  (ie 23.9.5)'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   create-release-pr:
     name: Create PR for Release ${{ github.event.inputs.versionName }}
diff --git a/.github/workflows/self-hosted-release.yml b/.github/workflows/self-hosted-release.yml
@@ -6,6 +6,9 @@ on:
       - main
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   create-release:
     name: Tag Release ${{ github.head_ref }} and Push Docker image to Docker Hub
diff --git a/.github/workflows/trigger-gazebo-preview.yml b/.github/workflows/trigger-gazebo-preview.yml
@@ -2,6 +2,9 @@ name: Trigger gazebo preview deploy
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: ubuntu-latest
