Set specific token permissions in GH actions

mboersma · mboersma · commit f82a7a87ec22 · 2024-01-24T16:20:20.000-07:00
diff --git a/.github/workflows/dependabot-code-gen.yml b/.github/workflows/dependabot-code-gen.yml
@@ -9,19 +9,20 @@ on:
       - dependabot/**
   workflow_dispatch:
 
-permissions:
-  contents: write # Allow to update the PR.
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
 
 jobs:
   build:
+    permissions:
+      contents: write  # for EndBug/add-and-commit
     name: Build
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
       with:
         egress-policy: audit
-
     - name: Set up Go 1.x
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,10 +4,15 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 name: release
 
 jobs:
   build:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: tag release
     runs-on: ubuntu-latest
     steps:
