Restrict default permissions of Github Actions

metabrainz · Sep 6, 2023 · bab30fd · bab30fd
1 parent 6f46ebc
commit bab30fd
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 0 deletions.
diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
@@ -17,6 +17,8 @@ on:
   schedule:
     - cron: '32 4 * * 0'
 
+permissions: {}
+
 jobs:
   codacy-security-scan:
     name: Codacy Security Scan

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,11 @@ on:
   schedule:
     - cron: '0 14 * * 6'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -22,6 +22,8 @@ on:
     - 'win.version-info.txt.in'
   pull_request:
 
+permissions: {}
+
 jobs:
   package-macos:
     runs-on: macos-11
@@ -240,6 +242,8 @@ jobs:
       - package-macos
       - package-windows
       - package-pypi
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4

diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -2,6 +2,7 @@ name: Package for PyPI
 
 on: [workflow_call]
 
+permissions: {}
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -1,6 +1,7 @@
 name: Run tests
 
 on: [push, pull_request]
+permissions: {}
 
 jobs:
   test-latest: