Merge pull request #3140 from AlchemyCMS/backport/7.3-stable/pr-3139

[7.3-stable] CI: Set workflow permissions
AlchemyCMS · Jan 8, 2025 · db31ba7 · db31ba7
2 parents be4cab2 + 21a0886
commit db31ba7
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 1 deletion.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  pull-requests: write
+
 jobs:
   backport:
     name: Backport

diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -7,6 +7,10 @@ concurrency:
   group: brakeman-${{ github.ref_name }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+  security-events: write
+
 on:
   push:
     branches:

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -12,6 +12,8 @@ on:
 
 jobs:
   check_bun_lock:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Check bun.lockdb
     steps:
@@ -27,6 +29,8 @@ jobs:
       bun_lock_changed: ${{ steps.changed-bun-lock.outputs.any_changed }}
 
   build_javascript:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Build JS packages
     needs: check_bun_lock
@@ -52,6 +56,8 @@ jobs:
           path: vendor/javascript
 
   RSpec:
+    permissions:
+      contents: read
     needs: [check_bun_lock, build_javascript]
     if: ${{ success('check_bun_lock') && !failure('build_javascript') }}
     runs-on: ubuntu-22.04
@@ -161,6 +167,8 @@ jobs:
             spec/dummy/tmp/screenshots
 
   PushJavascript:
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     needs: [check_bun_lock, RSpec]
     if: github.event_name == 'pull_request'
@@ -193,6 +201,8 @@ jobs:
           branch: ${{ github.head_ref }}
 
   Jest:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     env:
       NODE_ENV: test

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ concurrency:
   group: lint-${{ github.ref_name }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with: