chore: restrict GitHub actions permissions

Be more selective in granting permissions to actions
apache · Jun 17, 2024 · e2be896 · e2be896
1 parent 7647f13
commit e2be896
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml
@@ -3,10 +3,17 @@ on:
   push:
     branches:
       - main # default branch of the project
+
+permissions: {}
+
 jobs:
   dependency-graph:
     name: Update Dependency Graph
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: scalacenter/sbt-dependency-submission@v2
+        permissions:
+          # The API requires write permission on the repository
+          # to submit dependencies
+          contents: write
diff --git a/.github/workflows/scala-steward.yml b/.github/workflows/scala-steward.yml
@@ -5,6 +5,10 @@ on:
 
 name: Launch Scala Steward
 
+# The GitHub Action doesn't need permissions: it only reads already-public
+# data and creates PRs through the scala-steward-asf bot:
+permissions: {}
+
 jobs:
   scala-steward:
     runs-on: ubuntu-22.04