ci: Add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2022-07-04 13:48:23 -07:00 · 2022-07-04 13:48:23 -07:00 · d28102ad75
parent 6a40de444b
commit d28102ad75
8 changed files with 26 additions and 0 deletions
--- a/.github/workflows/autobump.yml
+++ b/.github/workflows/autobump.yml
@ -840,6 +840,9 @@ env:
    zstd
    zydis

+permissions:
+  contents: read
+
 jobs:
  autobump:
    if: github.repository == 'Homebrew/homebrew-core'
--- a/.github/workflows/autopublish.yml
+++ b/.github/workflows/autopublish.yml
@ -13,6 +13,9 @@ concurrency:
 env:
  HOMEBREW_FORCE_HOMEBREW_ON_LINUX: 1

+permissions:
+  contents: read
+
 jobs:
  autopublish:
    if: github.repository == 'Homebrew/homebrew-core'
--- a/.github/workflows/dispatch-build-bottle.yml
+++ b/.github/workflows/dispatch-build-bottle.yml
@ -26,6 +26,9 @@ env:
  HOMEBREW_NO_AUTO_UPDATE: 1
  HOMEBREW_CHANGE_ARCH_TO_ARM: 1

+permissions:
+  contents: read
+
 jobs:
  prepare:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish-commit-bottles.yml
+++ b/.github/workflows/publish-commit-bottles.yml
@ -18,6 +18,9 @@ env:
  HOMEBREW_DEVELOPER: 1
  HOMEBREW_NO_AUTO_UPDATE: 1

+permissions:
+  contents: read
+
 jobs:
  upload:
    runs-on: ${{github.event.inputs.self_hosted == 'true' && 'linux-self-hosted-1' || 'ubuntu-latest'}}
--- a/.github/workflows/recreate-linux-runners.yml
+++ b/.github/workflows/recreate-linux-runners.yml
@ -10,6 +10,9 @@ concurrency:
  group: recreate-linux-runners
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  recreate:
    if: github.repository == 'Homebrew/homebrew-core'
--- a/.github/workflows/remove-disabled-formulae.yml
+++ b/.github/workflows/remove-disabled-formulae.yml
@ -12,6 +12,9 @@ concurrency:
  group: remove-disabled-formulae
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  remove-disabled-formulae:
    if: startsWith(github.repository, 'Homebrew/')
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -16,6 +16,9 @@ concurrency:
  group: "tests-${{ github.ref }}"
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

+permissions:
+  contents: read
+
 jobs:
  tap_syntax:
    if: github.repository == 'Homebrew/homebrew-core'
@ -40,6 +43,8 @@ jobs:
        id: formulae-detect

  setup_tests:
+    permissions:
+      pull-requests: read  
    if: github.event_name == 'pull_request' && github.repository == 'Homebrew/homebrew-core'
    runs-on: ubuntu-latest
    needs: tap_syntax
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@ -6,6 +6,9 @@ concurrency:
  group: "triage-${{ github.event.number }}"
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  triage:
    runs-on: ubuntu-latest