ci: use permissions

simonhir · simonhir · commit 70494f41d410 · 2026-01-07T12:26:55.000+01:00
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -9,5 +9,7 @@ jobs:
   actionlint:
     name: Run actionlint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -6,5 +6,7 @@ on:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -13,15 +13,13 @@ on:
       - "docs/**"
       - ".github/workflows/deploy-docs.yml"
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 jobs:
   deploy-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     steps:
       - id: build_docs
         uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/dockercompose-healthcheck.yml b/.github/workflows/dockercompose-healthcheck.yml
@@ -8,6 +8,8 @@ jobs:
   docker-compose-healthcheck:
     name: Run docker compose healthcheck
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
diff --git a/.github/workflows/maven-node-build.yml b/.github/workflows/maven-node-build.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     env:
       TZ: Europe/Berlin # timezone
     strategy:
diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml
@@ -22,6 +22,9 @@ on:
 jobs:
   release-maven:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       MVN_ARTIFACT_ID: ${{ steps.maven-release-step.outputs.MVN_ARTIFACT_ID }}
       ARTIFACT_NAME: ${{ steps.maven-release-step.outputs.artifact-name }}
@@ -43,6 +46,8 @@ jobs:
   build-image:
     runs-on: ubuntu-latest
     needs: release-maven
+    permissions:
+      packages: write
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
@@ -58,6 +63,8 @@ jobs:
   create-github-release:
     needs: release-maven
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Download a single artifact
         uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@12966547963631f8429d42bab860485b413003c2 # v1.0.22
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -53,8 +53,10 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Centralized token in it-at-m GitHub organization
 
   build-image:
-    runs-on: ubuntu-latest
     needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@12966547963631f8429d42bab860485b413003c2 # v1.0.22
         with:
@@ -66,9 +68,12 @@ jobs:
           image-tags: |
             type=semver,pattern={{version}},value=${{ needs.release.outputs.ARTIFACT_VERSION }}
             type=raw,value=latest
+
   create-github-release:
     needs: release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Create GitHub Release
         uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@12966547963631f8429d42bab860485b413003c2 # v1.0.22
