set specific cache permissions

cisagov · Oct 14, 2024 · 90adfcd · 90adfcd
1 parent b7325d4
commit 90adfcd
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/.github/workflows/clear_cache.yaml b/.github/workflows/clear_cache.yaml
@@ -9,14 +9,29 @@ on:
 
 # NOTE: This skip is not honored by Checkov.
 # checkov:skip=CKV2_GHA_1:Write permissions required to clear cache.
-permissions: write-all
+# permissions: write-all
 
 jobs:
   cleanup:
     name: Clear Cache
     runs-on: ubuntu-latest
     # checkov:skip=CKV2_GHA_1:Write permissions required to clear cache.
-    permissions: write-all
+    # permissions: write-all
+    permissions:
+      actions: read
+      attestations: read
+      checks: read
+      contents: write
+      deployments: read
+      id-token: write
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     # Run even if one of the functional tests have failed
     # We always want to clean up the caches that we create
     if: always()