submariner-io · skitt · Aug 25, 2022 · Aug 24, 2022
@@ -4,6 +4,8 @@ name: Branch Checks
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   target_branch:
     name: PR targets branch

@@ -4,6 +4,8 @@ name: Clean Target Verification
 on:
   pull_request:
 
+permissions: {}
+
 env:
   DEBUG_PRINT: true
 jobs:

@@ -7,6 +7,8 @@ on:
       - 'CODEOWNERS'
       - 'CODEOWNERS.in'
 
+permissions: {}
+
 jobs:
   updated:
     name: Up-to-date

@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [labeled, opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E Consuming

@@ -1,6 +1,11 @@
 ---
 name: PR Dependencies
 
+permissions:
+  issues: write
+  pull-requests: write
+  statuses: write
+
 on:
   issues:
     types:

@@ -4,6 +4,8 @@ name: Linting
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   apply-suggestions-commits:
     name: 'No "Apply suggestions from code review" Commits'

@@ -4,6 +4,8 @@ name: Multi-arch Builds
 on:
   pull_request:
 
+permissions: {}
+
 env:
   DEBUG_PRINT: true
 jobs:

@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions: {}
+
 jobs:
   markdown-link-check-periodic:
     name: Markdown Links (all files)

@@ -7,6 +7,8 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   release:
     name: Release Images

@@ -7,11 +7,15 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

@@ -4,6 +4,8 @@ name: Shared Scripts
 on:
   pull_request:
 
+permissions: {}
+
 env:
   DEBUG_PRINT: true
 jobs:

@@ -4,6 +4,8 @@ name: Unit Test Validation
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   check-unit-tests-fail:
     name: 'Check that unit test failures are detected'

@@ -5,6 +5,8 @@ on:
   pull_request:
     branches: [devel]
 
+permissions: {}
+
 jobs:
   upgrade-e2e:
     name: Latest Release to Latest Version
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,8 @@ name: Clean Target Verification @@
     on:
       pull_request:
+    permissions: {}
     env:
       DEBUG_PRINT: true
     jobs:
@@ Expand Down @@