restrict permissions at top level

nginx · May 8, 2024 · e0727ef · e0727ef
1 parent 84a3b6b
commit e0727ef
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,12 +15,18 @@ on:
     - reopened
     - synchronize
 
+permissions:
+  contents: read
+
 env:
   GOLANGCI_LINT_VERSION: 'v1.54.2'
   NFPM_VERSION: 'v2.32.0'
 
 jobs:
   lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint
     runs-on: ubuntu-22.04
     steps:

diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize]
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   label-pr:
     permissions:

diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
@@ -22,6 +22,9 @@ on:
 
 jobs:
   update-draft:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update Release
     runs-on: ubuntu-22.04
     steps: