Fix token permissions for OpenSSF scorecard. (#4757)

pbchekin · web-flow · commit 71a87ff7fbd0 · 2025-07-21T13:32:31.000-07:00
Signed-off-by: Pavel Chekin &lt;pavel.chekin@intel.com&gt;
diff --git a/.github/workflows/build-macos.yml b/.github/workflows/build-macos.yml
@@ -7,6 +7,8 @@ on:
         required: true
         type: string
 
+permissions: read-all
+
 jobs:
   build-macos:
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml
@@ -15,14 +15,14 @@ on:
   pull_request:
     paths: [.github/workflows/create_release.yml]
 
+permissions: read-all
+
 jobs:
 
   release:
     if: ${{ github.repository == 'triton-lang/triton' }}
     name: Create Release
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     outputs:
       release_name: "${{ steps.release_name.outputs.name }}"
     steps:
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -4,8 +4,7 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   Build-Documentation:
diff --git a/.github/workflows/integration-tests-amd.yml b/.github/workflows/integration-tests-amd.yml
@@ -7,6 +7,8 @@ on:
         required: true
         type: string
 
+permissions: read-all
+
 jobs:
   integration-tests-amd:
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/integration-tests-nvidia.yml b/.github/workflows/integration-tests-nvidia.yml
@@ -7,6 +7,8 @@ on:
         required: true
         type: string
 
+permissions: read-all
+
 jobs:
   integration-tests-nvidia:
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -3,6 +3,8 @@ name: Pre-Commit Check
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   pre-commit:
     name: pre-commit (code formatting)
diff --git a/.github/workflows/runner-preparation.yml b/.github/workflows/runner-preparation.yml
@@ -10,6 +10,8 @@ on:
       matrix-MACOS:
         value: ${{ jobs.prepare.outputs.matrix-MACOS }}
 
+permissions: read-all
+
 jobs:
   prepare:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/triton-benchmarks-bmg.yml b/.github/workflows/triton-benchmarks-bmg.yml
@@ -1,5 +1,7 @@
 name: Triton benchmarks, BMG
 
+permissions: read-all
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/triton-benchmarks-pvc.yml b/.github/workflows/triton-benchmarks-pvc.yml
@@ -1,5 +1,7 @@
 name: Triton benchmarks, PVC
 
+permissions: read-all
+
 on:
   pull_request:
     branches:
