ci: set content permissions as read

Signed-off-by: Artsiom Koltun <[email protected]>
opiproject · Jul 12, 2023 · 883cc25 · 883cc25
1 parent 39a2db0
commit 883cc25
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 0 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -7,7 +7,13 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   call:
+    permissions:
+      contents: read
+      security-events: write
     uses: opiproject/opi-smbios-bridge/.github/workflows/codeql.yml@main
     secrets: inherit
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   # if workflow for PR or push is already running stop it, and start new one
   group: poc-storage-${{ github.ref }}
@@ -17,6 +20,10 @@ concurrency:
 jobs:
   storage-push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
     - uses: actions/checkout@v3
     - uses: docker/setup-qemu-action@v2

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   call:
     uses: opiproject/opi-smbios-bridge/.github/workflows/go.yml@main

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   call:
     uses: opiproject/opi-smbios-bridge/.github/workflows/linters.yml@main

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,7 +5,14 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release-docker:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     uses: ./.github/workflows/docker-publish.yml
     secrets: inherit
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -7,7 +7,15 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   call:
+    permissions:
+      security-events: write
+      id-token: write
+      actions: read
+      contents: read
     uses: opiproject/opi-smbios-bridge/.github/workflows/scorecard.yml@main
     secrets: inherit
diff --git a/.github/workflows/update-copyright-years-in-license-file.yml b/.github/workflows/update-copyright-years-in-license-file.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 3 1 1 *'
 
+permissions:
+  contents: read
+
 jobs:
   call:
     uses: opiproject/opi-smbios-bridge/.github/workflows/update-copyright-years-in-license-file.yml@main