Add Permissions

Vamshi-Microsoft · Vamshi-Microsoft · commit 779468f319f2 · 2026-01-09T16:57:59.000+05:30
diff --git a/.github/workflows/azure-dev-validation.yml b/.github/workflows/azure-dev-validation.yml
@@ -4,6 +4,7 @@ on:
 
 permissions:
   contents: read
+  actions: read
   id-token: write
   pull-requests: write
 
diff --git a/.github/workflows/broken-links-checker.yml b/.github/workflows/broken-links-checker.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  actions: read
 
 jobs:
   markdown-link-check:
diff --git a/.github/workflows/deploy-KMGeneric.yml b/.github/workflows/deploy-KMGeneric.yml
@@ -11,6 +11,11 @@ on:
   schedule:
     - cron: '0 9,21 * * *'  # Runs at 9:00 AM and 9:00 PM GMT
   workflow_dispatch:  # Allow manual triggering
+
+permissions:
+  contents: read
+  actions: read
+
 env:
   GPT_MIN_CAPACITY: 150
   TEXT_EMBEDDING_MIN_CAPACITY: 80
diff --git a/.github/workflows/deploy-linux.yml b/.github/workflows/deploy-linux.yml
@@ -86,6 +86,10 @@ on:
         default: ''
         type: string
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   Run:
     uses: ./.github/workflows/deploy-orchestrator.yml
diff --git a/.github/workflows/deploy-windows.yml b/.github/workflows/deploy-windows.yml
@@ -70,6 +70,10 @@ on:
         default: ''
         type: string
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   Run:
     uses: ./.github/workflows/deploy-orchestrator.yml
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -18,6 +18,10 @@ on:
       - demo
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-title-checker.yml b/.github/workflows/pr-title-checker.yml
@@ -9,6 +9,8 @@ on:
   merge_group:
 
 permissions:
+  contents: read
+  actions: read
   pull-requests: read
 
 jobs:
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
@@ -8,6 +8,10 @@ on:
       - '.flake8'
       - '.github/workflows/pylint.yml'
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/telemetry-template-check.yml b/.github/workflows/telemetry-template-check.yml
@@ -7,6 +7,10 @@ on:
     paths:
       - 'azure.yaml'
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   validate-template-property:
     name: validate-template-property
diff --git a/.github/workflows/test-automation.yml b/.github/workflows/test-automation.yml
@@ -24,6 +24,11 @@ on:
       EMAILNOTIFICATION_LOGICAPP_URL_TA:
         required: false
         description: "Logic App URL for email notifications"
+
+permissions:
+  contents: read
+  actions: read
+
 env:
   # Use input URL if provided (from deploy pipeline), otherwise fall back to vars
   url: ${{ inputs.KMGENERIC_URL  }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -28,6 +28,10 @@ on:
       - 'src/api/requirements*.txt'
       - '.github/workflows/test.yml'
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   #   frontend_tests:
   #     runs-on: ubuntu-latest
