eksctl-io · AdnaneKhan · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/.github/workflows/build-all-distros-nightly.yaml b/.github/workflows/build-all-distros-nightly.yaml
@@ -4,6 +4,9 @@ on:
     - cron: '0 9 * * 1-5'
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build-all-distros:
     name: build all distros

diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push-to-registry:
     name: Build and push container image

diff --git a/.github/workflows/homebrew-update.yml b/.github/workflows/homebrew-update.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  issues: write
+
 jobs:
   notify-homebrew:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   enforce-kind:
     name: Enforce a valid PR category

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
@@ -3,6 +3,9 @@ name: Publish docs
 on:
   release:
     types: [published]
+permissions:
+  contents: read
+
 jobs:
   publish-docs:
     name: Publish docs to Netlify

diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
@@ -12,6 +12,9 @@ on:
       customToken:
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   publish-release:
     name: ${{ inputs.isReleaseCandidate && 'prerelease' || 'release' }}

diff --git a/.github/workflows/release-candidate.yaml b/.github/workflows/release-candidate.yaml
@@ -3,6 +3,10 @@ name: Trigger Release Candidate
 on:
   workflow_dispatch: {}
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   rc:
     name: Push release candidate tag

diff --git a/.github/workflows/release-merge.yaml b/.github/workflows/release-merge.yaml
@@ -6,6 +6,10 @@ on:
 env:
   VERSION_FILE: pkg/version/release.go
   DEFAULT_BRANCH: main
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   merge_release:
     name: Merge release

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,6 +3,10 @@ name: Trigger Release
 on:
   workflow_dispatch: {}
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   rc:
     name: Push release tag

diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml
@@ -4,6 +4,9 @@ on:
   pull_request: {}
   workflow_call: {}
 
+permissions:
+  contents: read
+
 jobs:
   unit-test:
     name: Unit tests