Set appropriate actions permissions for build job.

DuendeSoftware · Nov 19, 2024 · f8578d8 · f8578d8
1 parent b352003
commit f8578d8
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 0 deletions.
diff --git a/.github/workflow-gen/Program.cs b/.github/workflow-gen/Program.cs
@@ -61,6 +61,8 @@ void GenerateCiWorkflow(Component component)
         .Defaults().Run("bash", component.Name)
         .Job;
 
+    job.Permissions(actions: Permission.Read, contents: Permission.Read, checks: Permission.Write);
+
     job.TimeoutMinutes(15);
 
     job.Step()

diff --git a/.github/workflows/access-token-management-ci.yml b/.github/workflows/access-token-management-ci.yml
@@ -20,6 +20,10 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
     defaults:
       run:
         shell: bash

diff --git a/.github/workflows/identity-model-ci.yml b/.github/workflows/identity-model-ci.yml
@@ -20,6 +20,10 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
     defaults:
       run:
         shell: bash

diff --git a/.github/workflows/identity-model-oidc-client-ci.yml b/.github/workflows/identity-model-oidc-client-ci.yml
@@ -20,6 +20,10 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
     defaults:
       run:
         shell: bash

diff --git a/.github/workflows/ignore-this-ci.yml b/.github/workflows/ignore-this-ci.yml
@@ -20,6 +20,10 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
     defaults:
       run:
         shell: bash