Lock down workflow permissions. (#19406)

Co-authored-by: Joel Challis <git@zvecr.com>
2025-10-31 05:12:33 +01:00 · 2022-12-23 10:41:16 +11:00 · 2022-12-23 10:41:16 +11:00 · f75ac6042e
commit f75ac6042e
parent b8a9de206d
13 changed files with 41 additions and 4 deletions
--- a/.github/workflows/api.yml
+++ b/.github/workflows/api.yml
@ -1,5 +1,8 @@
 name: Update API Data

+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/auto_approve.yml
+++ b/.github/workflows/auto_approve.yml
@ -1,5 +1,7 @@
 name: Automatic Approve

+permissions: {}
+
 on:
  schedule:
    - cron: "*/5 * * * *"
--- a/.github/workflows/auto_tag.yml
+++ b/.github/workflows/auto_tag.yml
@ -1,5 +1,8 @@
 name: Essential files modified

+permissions:
+  contents: write
+
 on:
  push:
    branches:
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@ -1,5 +1,8 @@
 name: CLI CI

+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/develop_update.yml
+++ b/.github/workflows/develop_update.yml
@ -1,5 +1,8 @@
 name: Update develop after master merge

+permissions:
+  contents: write
+
 on:
  push:
    branches:
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -1,5 +1,8 @@
 name: Generate Docs

+permissions:
+  contents: write
+
 on:
  push:
    branches:
--- a/.github/workflows/feature_branch_update.yml
+++ b/.github/workflows/feature_branch_update.yml
@ -1,5 +1,8 @@
 name: Update feature branches after develop merge

+permissions:
+  contents: write
+
 on:
  push:
    branches:
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -1,5 +1,8 @@
 name: PR Lint Format

+permissions:
+  contents: read
+
 on:
  pull_request:
    paths:
--- a/.github/workflows/format_push.yml
+++ b/.github/workflows/format_push.yml
@ -1,5 +1,8 @@
 name: Lint Format

+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -1,5 +1,9 @@
 name: "Pull Request Labeler"

+permissions:
+  contents: read
+  pull-requests: write
+
 on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, locked]
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -1,5 +1,8 @@
 name: PR Lint keyboards

+permissions:
+  contents: read
+
 on:
  pull_request:
    paths:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,13 +1,14 @@
 name: 'Close stale issues and PRs'
-on:
-  schedule:
-    - cron: '30 1 * * *'
-  workflow_dispatch:

 permissions:
  issues: write
  pull-requests: write

+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
 jobs:
  stale:
    runs-on: ubuntu-latest
--- a/.github/workflows/unit_test.yml
+++ b/.github/workflows/unit_test.yml
@ -1,5 +1,8 @@
 name: Unit Tests

+permissions:
+  contents: read
+
 on:
  push:
    branches: