Limit some workflow permissions

Limiting our permissions to the base minimum needed for the given workflow. This PR gets workflows that run when a PR is opened.
ponylang · Jan 19, 2025 · cf71eb7 · cf71eb7
1 parent e5fcce7
commit cf71eb7
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 0 deletions.
diff --git a/.github/workflows/add-discuss-during-sync.yml b/.github/workflows/add-discuss-during-sync.yml
@@ -18,6 +18,9 @@ on:
     types:
       - submitted
 
+permissions:
+  pull-requests: write
+
 jobs:
   add-label:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/changelog-bot.yml b/.github/workflows/changelog-bot.yml
@@ -9,6 +9,10 @@ on:
     paths-ignore:
       - CHANGELOG.md
 
+permissions:
+  packages: read
+  pull-requests: write
+
 jobs:
   changelog-bot:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/lint-action-workflows.yml b/.github/workflows/lint-action-workflows.yml
@@ -6,6 +6,9 @@ concurrency:
   group: lint-actions-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   lint:
     name: Lint

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -6,6 +6,9 @@ concurrency:
   group: pr-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   superlinter:
     name: Lint bash, docker, markdown, and yaml

diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
@@ -10,6 +10,11 @@ on:
       - .release-notes/next-release.md
       - .release-notes/\d+.\d+.\d+.md
 
+permissions:
+  packages: read
+  pull-requests: read
+  contents: write
+
 jobs:
   release-notes:
     runs-on: ubuntu-latest