diff --git a/.github/workflows/buf-lint.yml b/.github/workflows/buf-lint.yml index 1b05a28693..9ded58ad44 100644 --- a/.github/workflows/buf-lint.yml +++ b/.github/workflows/buf-lint.yml @@ -4,6 +4,9 @@ on: paths: - ".github/workflows/buf-lint.yml" - "**.proto" +permissions: + contents: read + jobs: buf: name: lint diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml index 3a8d1d0402..e82dc56c90 100644 --- a/.github/workflows/buf.yml +++ b/.github/workflows/buf.yml @@ -3,6 +3,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: buf: name: lint and publish diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6036e80ae9..762e920163 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,10 @@ on: schedule: - cron: "26 14 * * 1" +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/funcbench.yml b/.github/workflows/funcbench.yml index c7245c60ad..8959f82142 100644 --- a/.github/workflows/funcbench.yml +++ b/.github/workflows/funcbench.yml @@ -2,6 +2,9 @@ on: repository_dispatch: types: [funcbench_start] name: Funcbench Workflow +permissions: + contents: read + jobs: run_funcbench: name: Running funcbench diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 87c40d3105..d0751f2fb6 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -1,6 +1,9 @@ name: CIFuzz on: workflow_call: +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/repo_sync.yml b/.github/workflows/repo_sync.yml index 9526cd2fec..1d5365e4a8 100644 --- a/.github/workflows/repo_sync.yml +++ b/.github/workflows/repo_sync.yml @@ -3,6 +3,9 @@ name: Sync repo files on: schedule: - cron: '44 17 * * *' +permissions: + contents: read + jobs: repo_sync: runs-on: ubuntu-latest