CI: Set workflow permissions

Adviced by the GH CodeQL scanner (cherry picked from commit ce3b4ad) # Conflicts: # .github/workflows/brakeman-analysis.yml # .github/workflows/build_test.yml # .github/workflows/lint.yml
AlchemyCMS · Jan 7, 2025 · 317738b · 317738b
1 parent 0001aa3
commit 317738b
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  pull-requests: write
+
 jobs:
   backport:
     name: Backport

diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -3,6 +3,13 @@
 
 name: Brakeman Scan
 
+concurrency:
+  group: brakeman-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,13 @@ name: Lint
 
 on: [pull_request]
 
+concurrency:
+  group: lint-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with: