ci: add minimum GitHub token permissions for workflows

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
2025-03-05 20:59:13 -08:00 · 2022-09-07 21:27:16 -07:00 · 2022-09-07 21:27:16 -07:00 · 00ba2f9a46
parent 3cde9287a6
commit 00ba2f9a46
6 changed files with 18 additions and 0 deletions
--- a/.github/workflows/buf-lint.yml
+++ b/.github/workflows/buf-lint.yml
@ -4,6 +4,9 @@ on:
    paths:
      - ".github/workflows/buf-lint.yml"
      - "**.proto"
+permissions:
+  contents: read
+
 jobs:
  buf:
    name: lint
--- a/.github/workflows/buf.yml
+++ b/.github/workflows/buf.yml
@ -3,6 +3,9 @@ on:
  push:
    branches:
      - main
+permissions:
+  contents: read
+
 jobs:
  buf:
    name: lint and publish
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "26 14 * * 1"

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/funcbench.yml
+++ b/.github/workflows/funcbench.yml
@ -2,6 +2,9 @@ on:
  repository_dispatch:
    types: [funcbench_start]
 name: Funcbench Workflow
+permissions:
+  contents: read
+
 jobs:
  run_funcbench:
    name: Running funcbench
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@ -1,6 +1,9 @@
 name: CIFuzz
 on:
  workflow_call:
+permissions:
+  contents: read
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/repo_sync.yml
+++ b/.github/workflows/repo_sync.yml
@ -2,6 +2,9 @@
 on:
  schedule:
    - cron: '44 17 * * *'
+permissions:
+  contents: read
+
 jobs:
  repo_sync:
    runs-on: ubuntu-latest