diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml index 202ce966..891c4e45 100644 --- a/.github/workflows/cifuzz.yaml +++ b/.github/workflows/cifuzz.yaml @@ -3,6 +3,10 @@ on: pull_request: branches: - main + +permissions: + contents: read # for actions/checkout to fetch code + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 93641989..2a8efd03 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read # for actions/checkout to fetch code + jobs: kind: runs-on: ubuntu-latest diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 0d60165a..6f1dc2dc 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,6 +7,9 @@ on: env: REPOSITORY: ${{ github.repository }} +permissions: + contents: read # for actions/checkout to fetch code + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 74a9049a..3ba814dd 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -6,6 +6,11 @@ on: issue_comment: types: [created] +permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read + repository-projects: write + jobs: rebase: if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index fd0fbae9..8150f174 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -8,6 +8,10 @@ on: schedule: - cron: '18 10 * * 3' +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for codeQL to write security events + jobs: fossa: name: FOSSA