diff --git a/.github/workflows/ci-bionic.yml b/.github/workflows/ci-bionic.yml index 4718f34f0..a8df52549 100644 --- a/.github/workflows/ci-bionic.yml +++ b/.github/workflows/ci-bionic.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-bullseye.yml b/.github/workflows/ci-bullseye.yml index 3d34e77ff..eb0b7a7ce 100644 --- a/.github/workflows/ci-bullseye.yml +++ b/.github/workflows/ci-bullseye.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-buster.yml b/.github/workflows/ci-buster.yml index 66f263835..af7e7f94a 100644 --- a/.github/workflows/ci-buster.yml +++ b/.github/workflows/ci-buster.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-centos-7.yml b/.github/workflows/ci-centos-7.yml index 986b7815b..1b3566685 100644 --- a/.github/workflows/ci-centos-7.yml +++ b/.github/workflows/ci-centos-7.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ci-centos-8.yml b/.github/workflows/ci-centos-8.yml index 8ad222793..68e8c4284 100644 --- a/.github/workflows/ci-centos-8.yml +++ b/.github/workflows/ci-centos-8.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ci-eslint.yml b/.github/workflows/ci-eslint.yml index dce24c367..d8ba1c49f 100644 --- a/.github/workflows/ci-eslint.yml +++ b/.github/workflows/ci-eslint.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: eslint: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-stretch.yml b/.github/workflows/ci-stretch.yml index 8e30da10a..2849aa1c9 100644 --- a/.github/workflows/ci-stretch.yml +++ b/.github/workflows/ci-stretch.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1de9e3bc9..5a8cfa099 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,8 +14,15 @@ on: schedule: - cron: '0 3 * * 5' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest