ci: add least-privilege permissions to all workflows

elopez · elopez · commit b2f55de96552 · 2026-03-24T17:58:01.000-03:00
diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
     branches:
     - master
 
+permissions:
+  contents: read
+
 env:
   # Tag for cache invalidation
   CACHE_VERSION: v10
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -7,10 +7,15 @@ on:
     tags:
       - '*'
 
+permissions: {}
+
 jobs:
   build:
     name: build ${{ matrix.platform }} container
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -97,6 +102,9 @@ jobs:
   merge:
     name: merge containers
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     needs:
       - build
     steps:
diff --git a/.github/workflows/hlint.yml b/.github/workflows/hlint.yml
@@ -8,6 +8,9 @@ on:
     branches:
     - master
 
+permissions:
+  contents: read
+
 jobs:
   hlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,6 +9,8 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   nixBuild:
     name: Build ${{ matrix.name }} binary
