GitHub workflow permissions (#39)

dvolodin7 · web-flow · commit 0069c320d977 · 2025-10-22T11:38:55.000+02:00
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -16,6 +16,9 @@ on:
     paths: *on-paths
   release:
     types: ["published"]
+permissions:
+  contents: write
+  pull-requests: write
 jobs:
   build-push:
     name: "Build & Push Docs"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,5 +1,4 @@
 name: "CodeQL Scan"
-
 on:
   # @todo: Maybe too expensive, uncomment after fine tuning
   # push:
@@ -8,7 +7,9 @@ on:
   #   branches: [ "master" ]
   schedule:
     - cron: "34 20 * * *"
-
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/infra-image.yml b/.github/workflows/infra-image.yml
@@ -7,6 +7,9 @@ on:
       - tests/infra/docker/**
   pull_request:
     paths: *changed-paths
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   changes:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/js-tests.yml b/.github/workflows/js-tests.yml
@@ -12,6 +12,9 @@ on:
     paths: *changed-paths
   release:
     types: ["published"]
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   js-lint:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/py-tests.yml b/.github/workflows/py-tests.yml
@@ -15,6 +15,10 @@ on:
     paths: *changed-paths
   release:
     types: ["published"]
+permissions:
+  contents: read
+  pull-requests: write
+  packages: read
 jobs:
   py-lint:
     runs-on: ubuntu-24.04
