diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 229cbb9f20c..b0bf211290e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -227,6 +227,8 @@ jobs: govulncheck: runs-on: ubuntu-24.04 permissions: + # same as global permission + contents: read # required to write sarif report security-events: write steps: @@ -372,6 +374,8 @@ jobs: runs-on: ubuntu-24.04 if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }} permissions: + # same as global permission + contents: read # required to write sarif report security-events: write needs: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe687f9a96c..9631b1b3cb2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,6 +23,7 @@ jobs: codeql: runs-on: ubuntu-24.04 permissions: + contents: read actions: read security-events: write steps: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index a5bff97efc9..c1b73a155cd 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -20,6 +20,9 @@ jobs: labeler: runs-on: ubuntu-latest permissions: + # same as global permission + contents: read + # required for writing labels pull-requests: write steps: -