ci: Add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <[email protected]>
RamKromberg · Jul 8, 2022 · 2c71278 · 2c71278
1 parent 1ba4ca5
commit 2c71278
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 0 deletions.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -8,8 +8,14 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for zeebe-io/backport-action to create branch
+      pull-requests: write  # for zeebe-io/backport-action to create PR to backport
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest

diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
@@ -10,6 +10,9 @@ on:
   #   branches:
   #    - master
   #    - release-**
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/direct-push.yml b/.github/workflows/direct-push.yml
@@ -4,8 +4,13 @@ on:
     branches:
      - master
      - release-**
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for peter-evans/commit-comment to comment on commit
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     env:

diff --git a/.github/workflows/pending-clear.yml b/.github/workflows/pending-clear.yml
@@ -4,8 +4,13 @@ on:
   check_suite:
     types: [ completed ]
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: clear pending status

diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml
@@ -8,8 +8,13 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: set pending status

diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 24 hours
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy:

diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 6 hours
     - cron:  '0 */6 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy: