diff --git a/.github/workflows/build-catalog.yml b/.github/workflows/build-catalog.yml index bcc9940423..fba0f4ab74 100644 --- a/.github/workflows/build-catalog.yml +++ b/.github/workflows/build-catalog.yml @@ -2,6 +2,9 @@ name: Build Catalog on: [push] +permissions: + contents: read + jobs: build-catalog: runs-on: ubuntu-latest @@ -16,4 +19,4 @@ jobs: - run: npm ci - run: npm run build:catalog env: - WIREIT_FAILURES: continue \ No newline at end of file + WIREIT_FAILURES: continue diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index dd04345460..403aac0769 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -2,6 +2,9 @@ name: commitlint on: [pull_request] +permissions: + contents: read + jobs: commitlint: runs-on: ubuntu-latest diff --git a/.github/workflows/firebase-hosting-merge.yml b/.github/workflows/firebase-hosting-merge.yml index 85d76537c5..f2ed5bd43c 100644 --- a/.github/workflows/firebase-hosting-merge.yml +++ b/.github/workflows/firebase-hosting-merge.yml @@ -5,6 +5,10 @@ name: Deploy to Firebase Hosting on release and manual - published workflow_dispatch: # allows triggering from the gihub UI + +permissions: + contents: read + jobs: build_and_deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml index 95873cb896..5b5862def4 100644 --- a/.github/workflows/firebase-hosting-pull-request.yml +++ b/.github/workflows/firebase-hosting-pull-request.yml @@ -5,6 +5,11 @@ name: Deploy to Firebase Hosting on PR on: pull_request: types: [ labeled ] + +permissions: + contents: read + pull-requests: write + jobs: build_and_preview: if: github.event.label.name == 'preview-catalog' && github.event.pull_request.head.repo.full_name == github.repository diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d641da3698..e8e28cc647 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: # allows triggering from the github UI +permissions: + contents: write + jobs: check_for_changes: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bb3b676e6c..318b78e2f3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,9 @@ on: tags: - 'v*' +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33c34a754e..b86bc6e493 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: Tests on: [push] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/update-docs-on-main.yml b/.github/workflows/update-docs-on-main.yml index cc94bd6a15..423fe2ac55 100644 --- a/.github/workflows/update-docs-on-main.yml +++ b/.github/workflows/update-docs-on-main.yml @@ -5,6 +5,11 @@ on: branches: main workflow_dispatch: # allows triggering from the github UI + +permissions: + contents: write + pull-requests: write + jobs: check-for-doc-changes: runs-on: ubuntu-latest diff --git a/.github/workflows/update-size-on-main.yml b/.github/workflows/update-size-on-main.yml index 0784e58172..afae449dc9 100644 --- a/.github/workflows/update-size-on-main.yml +++ b/.github/workflows/update-size-on-main.yml @@ -5,6 +5,11 @@ on: branches: main workflow_dispatch: # allows triggering from the github UI + +permissions: + contents: write + pull-requests: write + jobs: check-for-doc-changes: runs-on: ubuntu-latest