ci: ensure least privilege permissions for GHA tokens (argoproj#12035)

agilgur5 · agilgur5 · commit c9a12126b288 · 2024-05-27T01:21:25.000-04:00
(cherry picked from commit 247448c)
diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
@@ -5,6 +5,7 @@ on:
     tags:
       - v*
       - "!v0.0.0"
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/dependabot-reviewer.yml b/.github/workflows/dependabot-reviewer.yml
@@ -9,8 +9,8 @@ jobs:
   review:
     if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'argoproj/argo-workflows'}}
     permissions:
-      pull-requests: write
-      contents: write
+      pull-requests: write # for approving a PR
+      contents: write # for enabling auto-merge on a PR
     runs-on: ubuntu-latest
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -13,11 +13,13 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for publishing the docs to GH Pages
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -8,6 +8,9 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   title-check:
     runs-on: ubuntu-latest
