ci: restrict job permissions

scottames · Apr 19, 2024 · 23b361d · 23b361d
1 parent ac044f5
commit 23b361d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/.github/workflows/pr_chezmoi_init.yaml b/.github/workflows/pr_chezmoi_init.yaml
@@ -1,3 +1,4 @@
+---
 name: chezmoi init
 on:
   push:
@@ -6,10 +7,13 @@ on:
   pull_request:
     branches:
       - main
+permissions: read-all
 jobs:
   getModules:
     name: chezmoi init
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/pr_semantic.yml b/.github/workflows/pr_semantic.yml
@@ -1,16 +1,18 @@
+---
 name: Check Semantic Pull Request
-
 on:
   pull_request_target:
     types:
       - opened
       - edited
       - synchronize
-
+permissions: read-all
 jobs:
   main:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:

diff --git a/.github/workflows/release_please.yml b/.github/workflows/release_please.yml
@@ -1,14 +1,16 @@
+---
 on:
   push:
     branches:
       - main
-permissions:
-  contents: write
-  pull-requests: write
 name: release-please
+permissions: read-all
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: google-github-actions/release-please-action@v4
         with: