chore: Set permissions for GitHub actions (#8550)

Restrict the GitHub token permissions only to just what is required and make them read-only where possible. Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
2025-12-08 21:36:08 +00:00 · 2022-07-04 14:12:32 -05:00 · 2022-07-04 14:12:32 -05:00 · f135bfa3e5
commit f135bfa3e5
parent 8494f7515d
5 changed files with 17 additions and 0 deletions
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@ -8,8 +8,13 @@ on:
 env:
  CI: true

+permissions:
+  contents: read
+
 jobs:
  build_cli:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
    runs-on: macos-11
    steps:
      - uses: actions/checkout@v2
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@ -6,6 +6,9 @@ on:
  pull_request:
    branches: [master]

+permissions:
+  contents: read
+
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@ -9,6 +9,9 @@ on:
  pull_request:
    branches: [master]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/release-insiders.yml
+++ b/.github/workflows/release-insiders.yml
@ -4,6 +4,9 @@ on:
  push:
    branches: [master]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,6 +4,9 @@ on:
  release:
    types: [published]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest