ci: install GitHubSecurityLab/actions-permissions and adjust permissions on non-release workflows

panva · panva · commit 177c5bdbb550 · 2025-06-18T09:20:49.000+02:00
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -1,5 +1,7 @@
 name: Conformance Checks
 
+permissions: {}
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -1,11 +1,17 @@
 name: 'Lock threads'
 
+permissions: {}
+
 on:
   schedule:
     - cron: '55 11 * * 1'
 
 jobs:
   lock:
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
     if: ${{ github.repository == 'panva/node-oidc-provider' }}
     continue-on-error: true
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       id-token: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -32,6 +33,7 @@ jobs:
     permissions:
       contents: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -44,6 +46,7 @@ jobs:
       - npm
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Checkout
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/retry.yml b/.github/workflows/retry.yml
@@ -1,5 +1,7 @@
 name: Retry
 
+permissions: {}
+
 on:
   workflow_run:
     workflows:
@@ -9,6 +11,8 @@ on:
 
 jobs:
   retry:
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.run_attempt == 1 }}
     steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,7 @@
 name: Test
 
+permissions: {}
+
 on:
   push:
     branches: [main]
