Specify permissions on all workflows

trask · trask · commit ffeaf20ab480 · 2025-06-06T20:10:33.000-07:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
@@ -6,6 +6,9 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml
@@ -4,8 +4,15 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment:
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login
diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml
@@ -11,6 +11,7 @@ permissions:
 jobs:
   stale:
     permissions:
+      contents: read
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
diff --git a/.github/workflows/oats-tests.yml b/.github/workflows/oats-tests.yml
@@ -9,6 +9,9 @@ on:
       - 'logging-k8s-stdout-otlp-json/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   acceptance-tests:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -8,16 +8,18 @@ on:
     - cron: "2 15 * * 1" # once a week
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
-    runs-on: ubuntu-latest
     permissions:
+      contents: read
       # Needed for Code scanning upload
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
       id-token: write
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml
@@ -9,8 +9,14 @@ on:
         type: boolean
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   workflow-notification:
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
