diff --git a/.github/workflows/build-all-distros-nightly.yaml b/.github/workflows/build-all-distros-nightly.yaml index 9f02f288a9..8bc73547d8 100644 --- a/.github/workflows/build-all-distros-nightly.yaml +++ b/.github/workflows/build-all-distros-nightly.yaml @@ -4,6 +4,9 @@ on: - cron: '0 9 * * 1-5' workflow_dispatch: {} +permissions: + contents: read + jobs: build-all-distros: name: build all distros diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 2d57124d76..1413eacbe0 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: build-and-push-to-registry: name: Build and push container image diff --git a/.github/workflows/homebrew-update.yml b/.github/workflows/homebrew-update.yml index d2754972e0..47c6b124f8 100644 --- a/.github/workflows/homebrew-update.yml +++ b/.github/workflows/homebrew-update.yml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + issues: write + jobs: notify-homebrew: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml index 1734c815ef..ee98de21b9 100644 --- a/.github/workflows/pr-labels.yaml +++ b/.github/workflows/pr-labels.yaml @@ -4,6 +4,9 @@ on: pull_request: types: [labeled, unlabeled, opened, edited, synchronize] +permissions: + contents: read + jobs: enforce-kind: name: Enforce a valid PR category diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index e5fe1721ac..bdb9d5f595 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -3,6 +3,9 @@ name: Publish docs on: release: types: [published] +permissions: + contents: read + jobs: publish-docs: name: Publish docs to Netlify diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml index 1fbed1c62a..575b9dd8d3 100644 --- a/.github/workflows/publish-release.yaml +++ b/.github/workflows/publish-release.yaml @@ -12,6 +12,9 @@ on: customToken: required: true +permissions: + contents: write + jobs: publish-release: name: ${{ inputs.isReleaseCandidate && 'prerelease' || 'release' }} diff --git a/.github/workflows/release-candidate.yaml b/.github/workflows/release-candidate.yaml index bb9bbf1075..14ab850c4e 100644 --- a/.github/workflows/release-candidate.yaml +++ b/.github/workflows/release-candidate.yaml @@ -3,6 +3,10 @@ name: Trigger Release Candidate on: workflow_dispatch: {} +permissions: + contents: write + pull-requests: write + jobs: rc: name: Push release candidate tag diff --git a/.github/workflows/release-merge.yaml b/.github/workflows/release-merge.yaml index 2dd0542ee6..75bece6568 100644 --- a/.github/workflows/release-merge.yaml +++ b/.github/workflows/release-merge.yaml @@ -6,6 +6,10 @@ on: env: VERSION_FILE: pkg/version/release.go DEFAULT_BRANCH: main +permissions: + contents: write + pull-requests: write + jobs: merge_release: name: Merge release diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 51ebb55399..de2383d5d9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,10 @@ name: Trigger Release on: workflow_dispatch: {} +permissions: + contents: write + pull-requests: write + jobs: rc: name: Push release tag diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml index cb57b5b023..e22f37d7de 100644 --- a/.github/workflows/test-and-build.yaml +++ b/.github/workflows/test-and-build.yaml @@ -4,6 +4,9 @@ on: pull_request: {} workflow_call: {} +permissions: + contents: read + jobs: unit-test: name: Unit tests