fix: token permissions

maxday · maxday · commit 2da3c04143dd · 2025-05-28T12:41:06.000+01:00
diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml
@@ -48,6 +48,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   prepare-build-jobs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml
@@ -8,10 +8,12 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,6 +22,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build-layer:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: create-release
     strategy:
diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml
@@ -8,10 +8,12 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,6 +22,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build-layer:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: create-release
     outputs:
diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml
@@ -8,10 +8,12 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,6 +22,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build-layer:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: create-release
     outputs:
diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml
@@ -8,10 +8,12 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,6 +22,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build-layer:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: create-release
     outputs:
diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml
@@ -8,10 +8,12 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,6 +22,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build-layer:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: create-release
     outputs:
