Continue limiting workflow permissions (#7092)

2025-02-10 11:40:56 -06:00 · 2025-02-10 11:40:56 -06:00 · 00f00433f3
parent 06449488ce
commit 00f00433f3
6 changed files with 33 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -12,6 +12,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  build:
    name: Build
--- a/.github/workflows/generate-post-release-pr.yml
+++ b/.github/workflows/generate-post-release-pr.yml
@ -2,6 +2,9 @@ name: Generate Post-Release PR
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  prereqs:
    runs-on: ubuntu-latest
@ -15,6 +18,8 @@ jobs:
          fi

  create-pull-request-against-main:
+    permissions:
+      contents: write # for git push to PR branch
    runs-on: ubuntu-latest
    needs:
      - prereqs
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@ -2,8 +2,13 @@ name: Prepare patch release
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  prepare-patch-release:
+    permissions:
+      contents: write  # for git push to PR branch
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@ -2,6 +2,9 @@ name: Prepare release branch
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  prereqs:
    runs-on: ubuntu-latest
@ -21,6 +24,8 @@ jobs:
          fi

  create-pull-request-against-release-branch:
+    permissions:
+      contents: write  # for git push to PR branch
    runs-on: ubuntu-latest
    needs:
      - prereqs
@ -70,6 +75,8 @@ jobs:
                       --base $RELEASE_BRANCH_NAME

  create-pull-request-against-main:
+    permissions:
+      contents: write  # for git push to PR branch
    runs-on: ubuntu-latest
    needs:
      - prereqs
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,8 +2,13 @@ name: Release
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  release:
+    permissions:
+      contents: write # for creating the release
    runs-on: ubuntu-24.04
    outputs:
      version: ${{ steps.create-github-release.outputs.version }}
@ -126,6 +131,8 @@ jobs:
          echo "version=$VERSION" >> $GITHUB_OUTPUT

  merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
    runs-on: ubuntu-latest
    needs:
      - release
--- a/.github/workflows/reusable-open-issue-on-failure.yml
+++ b/.github/workflows/reusable-open-issue-on-failure.yml
@ -3,8 +3,14 @@ name: Reusable - Open issue on workflow failure
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  open-issue:
+    permissions:
+      contents: read
+      issues: write # for creating the issue
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2