diff --git a/.github/workflows/cdk-e2e.yaml b/.github/workflows/cdk-e2e.yaml index 7d0b5afd..42db540a 100644 --- a/.github/workflows/cdk-e2e.yaml +++ b/.github/workflows/cdk-e2e.yaml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: build-and-test: strategy: diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml index 87809d5c..fb36d3bb 100644 --- a/.github/workflows/lint-pr-title.yml +++ b/.github/workflows/lint-pr-title.yml @@ -8,6 +8,10 @@ on: - reopened - synchronize +permissions: + pull-requests: read + contents: read + jobs: main: name: conventional-commit diff --git a/.github/workflows/macos-ci.yaml b/.github/workflows/macos-ci.yaml index 44b0e15e..fa0d33d0 100644 --- a/.github/workflows/macos-ci.yaml +++ b/.github/workflows/macos-ci.yaml @@ -25,6 +25,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: install-dependencies: # This is a spot check for make install.dependencies on macOS x86/ARM platforms. diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index f5127862..a997d8ea 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -3,6 +3,10 @@ on: branches: - main name: release-please +permissions: + contents: write + pull-requests: write + jobs: release-please: runs-on: ubuntu-latest diff --git a/.github/workflows/submodulesync.yaml b/.github/workflows/submodulesync.yaml index 8493c295..c80735dd 100644 --- a/.github/workflows/submodulesync.yaml +++ b/.github/workflows/submodulesync.yaml @@ -5,6 +5,10 @@ on: - cron: '0 9 * * 1' workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: update: runs-on: ubuntu-latest diff --git a/.github/workflows/windows-ci.yaml b/.github/workflows/windows-ci.yaml index fb9a7e85..c6ff8e03 100644 --- a/.github/workflows/windows-ci.yaml +++ b/.github/workflows/windows-ci.yaml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: install-dependencies: # This is a spot check for make install.dependencies on Windows platform.