chore: GitHub Workflows security hardening (#2740)

sashashura · web-flow · commit 26683e993df0 · 2023-10-27T10:45:09.000-07:00
* build: harden tests.yml permissions

Signed-off-by: Alex &lt;aleksandrosansan@gmail.com&gt;

* build: harden release-please.yml permissions

Signed-off-by: Alex &lt;aleksandrosansan@gmail.com&gt;

* build: harden visual-studio.yml permissions

Signed-off-by: Alex &lt;aleksandrosansan@gmail.com&gt;

* Update release-please.yml

---------

Signed-off-by: Alex &lt;aleksandrosansan@gmail.com&gt;
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -7,6 +7,10 @@ on:
 
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v2
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -7,6 +7,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   Lint_Python:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/visual-studio.yml b/.github/workflows/visual-studio.yml
@@ -6,6 +6,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   visual-studio:
     strategy:
