Remediate permissive workflow permissions

fish-shop · Jul 15, 2024 · 10a728e · 10a728e
1 parent 7b73509
commit 10a728e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -3,6 +3,11 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   dependency-review:
+    permissions:
+      pull-requests: write
     uses: fish-shop/workflows/.github/workflows/dependency-review.yml@b2aac444bc73a71eefab3eca22225e1f2e2d5727 # v1.9.2
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
@@ -3,6 +3,11 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   markdown-links:
+    permissions:
+      pull-requests: write
     uses: fish-shop/workflows/.github/workflows/markdown-links.yml@b2aac444bc73a71eefab3eca22225e1f2e2d5727 # v1.9.2
diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml
@@ -3,6 +3,11 @@ on:
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
+
+permissions: read-all
+
 jobs:
   release-tags:
+    permissions:
+      contents: write
     uses: fish-shop/workflows/.github/workflows/release-tags.yml@b2aac444bc73a71eefab3eca22225e1f2e2d5727 # v1.9.2