ci: Harden GitHub Actions (#2911)

utpilla · web-flow · commit 940ec2304bc4 · 2025-04-07T15:25:42.000-07:00
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -13,8 +13,7 @@ on:
     branches:
       - main
 name: benchmark pull requests
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   runBenchmark:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,7 @@
 name: CI
 env:
   CI: true
+permissions: read-all
 on:
   pull_request:
   push:
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -5,8 +5,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   fossa:
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [ labeled, synchronize, opened, reopened ]
 
+permissions: read-all
+
 jobs:
   integration_tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -8,8 +8,7 @@ on:
     paths:
       - '**/*.md'
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   markdown-link-check:
diff --git a/.github/workflows/pr_naming.yml b/.github/workflows/pr_naming.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
 
+permissions: read-all
+
 jobs:
   validate-pr-title:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/semver.yml b/.github/workflows/semver.yml
@@ -1,6 +1,7 @@
 name: Semver compliance
 env:
   CI: true
+permissions: read-all
 on:
   pull_request:
     types: [ labeled, synchronize, opened, reopened ]
