diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 92eeb93a0..e2aba04f1 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -8,6 +8,10 @@ on: workflows: ["CI"] types: [completed] +permissions: + contents: read + pull-requests: write + jobs: on-success: if: > diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f5649c2bc..d4c56c6ed 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -10,6 +10,10 @@ on: # Allows this workflow to be run manually from the Actions tab workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: release: name: Create/Update Release Pull Request diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f0a50384..73f67e212 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ on: - "*.md" types: [opened, ready_for_review, reopened, synchronize] +permissions: + contents: read + # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 32b4434e9..706aff58d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,8 +19,6 @@ on: types: [opened, ready_for_review, reopened, synchronize] permissions: - actions: read - contents: read security-events: write # This allows a subsequently queued workflow run to interrupt previous runs diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index 159284bb8..ba0bd7c2a 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -29,6 +29,9 @@ on: # Allows this workflow to be run manually from the Actions tab workflow_dispatch: +permissions: + contents: read + jobs: link-check: name: Link Check