chore: add explicit GitHub workflow permissions

asyncliz · copybara-github · commit 417e1cfe671a · 2025-10-06T15:49:25.000-07:00
PiperOrigin-RevId: 815915576
diff --git a/.github/workflows/build-catalog.yml b/.github/workflows/build-catalog.yml
@@ -2,6 +2,9 @@ name: Build Catalog
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   build-catalog:
     runs-on: ubuntu-latest
@@ -16,4 +19,4 @@ jobs:
       - run: npm ci
       - run: npm run build:catalog
         env:
-          WIREIT_FAILURES: continue
+          WIREIT_FAILURES: continue
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -2,6 +2,9 @@ name: commitlint
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/firebase-hosting-merge.yml b/.github/workflows/firebase-hosting-merge.yml
@@ -5,6 +5,10 @@ name: Deploy to Firebase Hosting on release and manual
       - published
   workflow_dispatch:
     # allows triggering from the gihub UI
+
+permissions:
+  contents: read
+
 jobs:
   build_and_deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml
@@ -5,6 +5,11 @@ name: Deploy to Firebase Hosting on PR
 on:
   pull_request:
     types: [ labeled ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   build_and_preview:
     if: github.event.label.name == 'preview-catalog' && github.event.pull_request.head.repo.full_name == github.repository
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -6,6 +6,9 @@ on:
   workflow_dispatch:
     # allows triggering from the github UI
 
+permissions:
+  contents: write
+
 jobs:
   check_for_changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,6 +2,9 @@ name: Tests
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-docs-on-main.yml b/.github/workflows/update-docs-on-main.yml
@@ -5,6 +5,11 @@ on:
     branches: main
   workflow_dispatch:
     # allows triggering from the github UI
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   check-for-doc-changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-size-on-main.yml b/.github/workflows/update-size-on-main.yml
@@ -5,6 +5,11 @@ on:
     branches: main
   workflow_dispatch:
     # allows triggering from the github UI
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   check-for-doc-changes:
     runs-on: ubuntu-latest
