Skip to content

Commit 00f0043

Browse files
jack-bergjack-berg
authored
Continue limiting workflow permissions (#7092)
1 parent 0644948 commit 00f0043

File tree

6 files changed

+33
-0
lines changed

6 files changed

+33
-0
lines changed

.github/workflows/build.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ concurrency:
1212
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
1313
cancel-in-progress: true
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
build:
1720
name: Build

.github/workflows/generate-post-release-pr.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: Generate Post-Release PR
22
on:
33
workflow_dispatch:
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
prereqs:
710
runs-on: ubuntu-latest
@@ -15,6 +18,8 @@ jobs:
1518
fi
1619
1720
create-pull-request-against-main:
21+
permissions:
22+
contents: write # for git push to PR branch
1823
runs-on: ubuntu-latest
1924
needs:
2025
- prereqs

.github/workflows/prepare-patch-release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,13 @@ name: Prepare patch release
22
on:
33
workflow_dispatch:
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
prepare-patch-release:
10+
permissions:
11+
contents: write # for git push to PR branch
712
runs-on: ubuntu-latest
813
steps:
914
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/prepare-release-branch.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: Prepare release branch
22
on:
33
workflow_dispatch:
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
prereqs:
710
runs-on: ubuntu-latest
@@ -21,6 +24,8 @@ jobs:
2124
fi
2225
2326
create-pull-request-against-release-branch:
27+
permissions:
28+
contents: write # for git push to PR branch
2429
runs-on: ubuntu-latest
2530
needs:
2631
- prereqs
@@ -70,6 +75,8 @@ jobs:
7075
--base $RELEASE_BRANCH_NAME
7176
7277
create-pull-request-against-main:
78+
permissions:
79+
contents: write # for git push to PR branch
7380
runs-on: ubuntu-latest
7481
needs:
7582
- prereqs

.github/workflows/release.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,13 @@ name: Release
22
on:
33
workflow_dispatch:
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
release:
10+
permissions:
11+
contents: write # for creating the release
712
runs-on: ubuntu-24.04
813
outputs:
914
version: ${{ steps.create-github-release.outputs.version }}
@@ -126,6 +131,8 @@ jobs:
126131
echo "version=$VERSION" >> $GITHUB_OUTPUT
127132
128133
merge-change-log-to-main:
134+
permissions:
135+
contents: write # for git push to PR branch
129136
runs-on: ubuntu-latest
130137
needs:
131138
- release

.github/workflows/reusable-open-issue-on-failure.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,14 @@ name: Reusable - Open issue on workflow failure
33
on:
44
workflow_call:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
open-issue:
11+
permissions:
12+
contents: read
13+
issues: write # for creating the issue
814
runs-on: ubuntu-latest
915
steps:
1016
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

0 commit comments

Comments
 (0)