VLN-497: Set explicit permissions for GitHub Actions workflows (#1815)

picatz · web-flow · commit 54b070408654 · 2025-10-29T14:52:19.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,10 @@ on:
       - main
       - releases/*
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Is it the official main branch, or an official release branches?
diff --git a/.github/workflows/conventions.yml b/.github/workflows/conventions.yml
@@ -3,6 +3,10 @@ name: Conventions
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -22,6 +22,10 @@ on:
         required: false
         description: The Vercel token. Required if 'publish_target' is set.
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml
@@ -25,6 +25,10 @@ on:
         default: 360
         type: number
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   # Workflow configuration
   TEST_DURATION: ${{ inputs.duration || vars.NIGHTLY_TEST_DURATION || '5h' }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -6,6 +6,10 @@ on:
     - cron: '00 08 * * *'
     # (1 AM PST)
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   nightly:
     uses: ./.github/workflows/stress.yml
diff --git a/.github/workflows/omes.yml b/.github/workflows/omes.yml
@@ -6,6 +6,10 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   omes-image-build:
     uses: temporalio/omes/.github/workflows/docker-images.yml@main
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Is it the official main branch, or an official release branches?
diff --git a/.github/workflows/stress.yml b/.github/workflows/stress.yml
@@ -38,6 +38,10 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   TEMPORAL_TESTING_LOG_DIR: /tmp/worker-logs
   TEMPORAL_TESTING_MEM_LOG_DIR: /tmp/worker-mem-logs
