Merge pull request #298 from aquaproj/ci/limit-gha-permission

ci: limit GitHub Actions Workflow permissions
aquaproj · Dec 26, 2022 · 9cab815 · 9cab815
2 parents 0c9672b + 21da3da
commit 9cab815
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 0 deletions.
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -9,6 +9,8 @@ on:
     branches: [main]
     paths:
     - .github/**
+permissions:
+  contents: read
 jobs:
   default:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml
@@ -12,6 +12,8 @@ on:
     paths:
     - .github/workflows/renovate-config-validator.yaml
     - renovate.json5
+permissions:
+  contents: read
 jobs:
   validate:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/test-actions-windows-bash.yaml b/.github/workflows/test-actions-windows-bash.yaml
@@ -6,6 +6,8 @@ on:
     tags: [v*]
   pull_request:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   normal:
     runs-on: windows-latest

diff --git a/.github/workflows/test-actions.yaml b/.github/workflows/test-actions.yaml
@@ -6,6 +6,8 @@ on:
     tags: [v*]
   pull_request:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   default:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,6 +6,8 @@ on:
     tags: [v*]
   pull_request:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   default:
     runs-on: ubuntu-latest