Fix top level permissions in workflows

Permissions should be read only by default

Related to #174

Signed-off-by: James Taylor <[email protected]>

Author: jt-nti

.github/workflows/docker-build.yml

@@ -16,17 +16,17 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: read
-  packages: write
-  id-token: write
-
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
       image_digest: ${{ steps.push.outputs.digest }}
 
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     steps:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -66,6 +66,11 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
     steps:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

.github/workflows/go-contract-image.yml

@@ -14,7 +14,13 @@ on:
     paths:
       - 'samples/go-contract/**'
 
+permissions: read-all
+
 jobs:
+  permissions:
+    contents: write
+    packages: write
+    id-token: write
   docker_build:
     name: Docker build
     uses: ./.github/workflows/docker-build.yml

.github/workflows/go.yml

@@ -15,6 +15,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
 
   build:
@@ -24,6 +26,9 @@ jobs:
         os: [ubuntu-latest, macOS-13]
         goarch: [amd64, arm64]
 
+    permissions:
+      contents: write
+
     env:
       GOARCH: ${{ matrix.goarch }}
 

.github/workflows/golangci-lint.yml

@@ -15,8 +15,7 @@ on:
       - 'docs/**'
       - 'samples/**'
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   golangci:

.github/workflows/java-contract-image.yml

@@ -14,7 +14,13 @@ on:
     paths:
       - 'samples/java-contract/**'
 
+permissions: read-all
+
 jobs:
+  permissions:
+    contents: write
+    packages: write
+    id-token: write
   docker_build:
     name: Docker build
     uses: ./.github/workflows/docker-build.yml

.github/workflows/mkdocs.yml

@@ -11,10 +11,7 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: read-all
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -54,6 +51,10 @@ jobs:
   # Deployment job
   deploy:
     if: github.event_name == 'push'
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/node-contract-image.yml

@@ -14,7 +14,13 @@ on:
     paths:
       - 'samples/node-contract/**'
 
+permissions: read-all
+
 jobs:
+  permissions:
+    contents: write
+    packages: write
+    id-token: write
   docker_build:
     name: Docker build
     uses: ./.github/workflows/docker-build.yml

.github/workflows/peer-image.yml

@@ -18,6 +18,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
   docker_build:
     name: Docker build

.github/workflows/status-checks-docker.yml

@@ -3,6 +3,8 @@ name: Skip docker status checks
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/status-checks.yml

@@ -7,6 +7,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
   lint:
     runs-on: ubuntu-latest