Properly set workflow permissions

rsksmart · Dec 27, 2024 · 41b884a · 41b884a
1 parent 4f4ceed
commit 41b884a
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 2 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,13 +8,14 @@ on:
   schedule:
     - cron: "39 5 * * 1"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   coverage:
     name: Run tests and generate coverage reports

diff --git a/.github/workflows/lint-c.yml b/.github/workflows/lint-c.yml
@@ -2,6 +2,9 @@ name: Lint C code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-c-linter:
     name: Run C linter

diff --git a/.github/workflows/lint-python.yml b/.github/workflows/lint-python.yml
@@ -2,6 +2,9 @@ name: Lint Python code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-python-linter:
     name: Run Python linter

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "17 6 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-unit-tests:
     name: Unit tests

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   static-analysis:
     name: Run ledger static analysis