Add permissions to all workflows (#687)

truggeri · web-flow · commit 4c0bbfe3a642 · 2026-03-26T16:40:52.000-07:00
diff --git a/.github/workflows/check-uncommitted.yml b/.github/workflows/check-uncommitted.yml
@@ -1,5 +1,8 @@
 name: Check for uncommitted files
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,8 @@
 name: CI
+
+permissions:
+  contents: read
+  
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,6 +1,8 @@
 name: Dependabot auto-merge
 on: pull_request_target
 
+permissions: {}
+
 jobs:
   dependabot:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -3,6 +3,9 @@ name: Compile dependabot updates
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   fetch-dependabot-metadata:
     runs-on: ubuntu-latest
@@ -25,6 +28,8 @@ jobs:
   build-dependabot-changes:
     runs-on: ubuntu-latest
     needs: [fetch-dependabot-metadata]
+    permissions:
+      contents: write
 
     # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
     if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
diff --git a/.github/workflows/release-bump-version.yml b/.github/workflows/release-bump-version.yml
@@ -15,6 +15,8 @@ on:  # yamllint disable-line rule:truthy
           - patch
         default: "minor"
 
+permissions: {}
+
 jobs:
   Create-PR-To-Bump-Fetch-Metadata-Version:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-move-tracking-tag.yml b/.github/workflows/release-move-tracking-tag.yml
@@ -12,6 +12,8 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   Move-Tracking-Tag-To-Latest-Release:
     runs-on: ubuntu-latest
