From c99bf1ce2eee5c718d1baed81d0a9b10697c026d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Silva?= <2493377+askpt@users.noreply.github.com> Date: Wed, 16 Apr 2025 16:43:20 +0100 Subject: [PATCH] chore(workflows): add permissions for contents and pull-requests in CI workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: André Silva <2493377+askpt@users.noreply.github.com> --- .github/workflows/ci.yml | 3 +++ .github/workflows/code-coverage.yml | 3 +++ .github/workflows/dco-merge-group.yml | 3 +++ .github/workflows/dotnet-format.yml | 3 +++ .github/workflows/e2e.yml | 3 +++ .github/workflows/lint-pr.yml | 5 ++++- 6 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a26e59c..bb1c7227 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,9 @@ on: jobs: build: + permissions: + contents: read + pull-requests: write strategy: matrix: os: [ubuntu-latest, windows-latest] diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml index be0a5412..a33413d8 100644 --- a/.github/workflows/code-coverage.yml +++ b/.github/workflows/code-coverage.yml @@ -12,6 +12,9 @@ on: jobs: build-test-report: + permissions: + contents: read + pull-requests: write strategy: matrix: os: [ubuntu-latest, windows-latest] diff --git a/.github/workflows/dco-merge-group.yml b/.github/workflows/dco-merge-group.yml index 0241f80a..018589ea 100644 --- a/.github/workflows/dco-merge-group.yml +++ b/.github/workflows/dco-merge-group.yml @@ -7,6 +7,9 @@ on: jobs: DCO: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write if: ${{ github.actor != 'renovate[bot]' }} steps: - run: echo "dummy DCO workflow (it won't run any check actually) to trigger by merge_group in order to enable merge queue" diff --git a/.github/workflows/dotnet-format.yml b/.github/workflows/dotnet-format.yml index 63259de0..16799cf1 100644 --- a/.github/workflows/dotnet-format.yml +++ b/.github/workflows/dotnet-format.yml @@ -9,6 +9,9 @@ on: jobs: check-format: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Check out code diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index ce4bb634..ae0ca839 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -13,6 +13,9 @@ on: jobs: e2e-tests: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml index 5dbb5688..f2307927 100644 --- a/.github/workflows/lint-pr.yml +++ b/.github/workflows/lint-pr.yml @@ -1,4 +1,4 @@ -name: 'Lint PR' +name: "Lint PR" on: pull_request_target: @@ -11,6 +11,9 @@ jobs: main: name: Validate PR title runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5 env: