From 286e86a74bc49db46bf0845f4ed1eeb4988bd988 Mon Sep 17 00:00:00 2001 From: "Uwe L. Korn" Date: Tue, 8 Jul 2025 14:19:33 +0200 Subject: [PATCH 1/2] ci: Set explict top-level permissions for GHA --- .github/workflows/build.yml | 2 ++ .github/workflows/chore.yml | 2 ++ .github/workflows/ci.yml | 2 ++ .github/workflows/codeql.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a36229d3..79106e4c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,8 @@ on: push: branches: [main] +permissions: read-all + jobs: metadata: name: Check if version changed diff --git a/.github/workflows/chore.yml b/.github/workflows/chore.yml index 84e62566..b948e04b 100644 --- a/.github/workflows/chore.yml +++ b/.github/workflows/chore.yml @@ -8,6 +8,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: check-pr-title: name: Check PR Title diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 092c2a50..7d37987f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: pre-commit-checks: name: Pre-commit Checks diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d1bf693f..dcfac0ae 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,6 +10,8 @@ on: schedule: - cron: "16 22 * * 5" +permissions: read-all + jobs: analyze: name: Analyze (${{ matrix.language }}) From 63d7e922befe670d50bac9789a6e5afbd77a2ee2 Mon Sep 17 00:00:00 2001 From: "Uwe L. Korn" Date: Tue, 8 Jul 2025 14:30:31 +0200 Subject: [PATCH 2/2] Set contents: write for the release --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 79106e4c..21a94ba2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -139,6 +139,8 @@ jobs: needs: [metadata, build, provenance] if: needs.metadata.outputs.release == 'true' runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download artifacts