Add workflow permissions (#9536)

michaelstaib · web-flow · commit 61160efbeadc · 2026-04-13T11:39:18.000+08:00
diff --git a/.github/workflows/ci-cleanup.yml b/.github/workflows/ci-cleanup.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Check out code
         uses: actions/checkout@v6
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ci-new-2-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-changes:
     name: Check for Changes
@@ -276,6 +279,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: check-changes
     if: needs.check-changes.outputs.src_changes == 'true'
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -12,6 +12,9 @@ concurrency:
   group: main-coverage
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   configure:
     name: Generate Test Matrix
diff --git a/.github/workflows/publish-website.yml b/.github/workflows/publish-website.yml
@@ -10,6 +10,9 @@ on:
       - .docker/website/**
       - website/**
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
