fix: add permissions to workflows (#1439)

erikburt · web-flow · commit 834486dee95d · 2026-03-03T21:39:48.000Z
diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml
@@ -6,9 +6,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   ci-lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -24,6 +28,8 @@ jobs:
 
   ci-prettier:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -39,6 +45,8 @@ jobs:
 
   ci-lint-misc:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -56,6 +64,9 @@ jobs:
     #  1. More generalizable for all workspaces requiring build artifacts
     #  2. Have better attribution for the commits generated from this workflow
     if: false
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo (needed to reference local action)
@@ -85,6 +96,8 @@ jobs:
 
   ci-signed-commits:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -101,6 +114,8 @@ jobs:
 
   ci-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -116,6 +131,8 @@ jobs:
 
   ci-build-artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
diff --git a/.github/workflows/push-main.yml b/.github/workflows/push-main.yml
@@ -5,9 +5,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   ci-lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -21,6 +25,8 @@ jobs:
 
   ci-prettier:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
@@ -36,6 +42,8 @@ jobs:
 
   ci-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo (needed to reference local action)
         uses: actions/checkout@v5
diff --git a/.github/workflows/reusable-codeowners-review-analysis.yml b/.github/workflows/reusable-codeowners-review-analysis.yml
@@ -43,6 +43,8 @@ on:
         description: "AWS Lambda URL for GATI."
         required: false
 
+permissions: {}
+
 jobs:
   codeowners-review-analysis:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/schedule-renovate.yml b/.github/workflows/schedule-renovate.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   renovate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,7 +3,9 @@ name: Manage stale PRs
 on:
   schedule:
     - cron: "30 0 * * *" # will be triggered daily at 00:30 UTC.
+
 permissions: {}
+
 jobs:
   stale-prs:
     permissions:
