Adding missing permissions on GHA (#5870)

* Adding missing permissions on GHA * Adding read all permissions explicitly
dbt-labs · Sep 21, 2022 · 49ecd6a · 49ecd6a
1 parent c109f39
commit 49ecd6a
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 0 deletions.
diff --git a/.github/workflows/jira-transition.yml b/.github/workflows/jira-transition.yml
@@ -15,6 +15,9 @@ on:
  issues:
  types: [closed, deleted, reopened]
 
+# no special access is needed
+permissions: read-all
+
 jobs:
  call-label-action:
  uses: dbt-labs/jira-actions/.github/workflows/jira-transition.yml@main

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,6 +20,9 @@ on:
  description: 'The release version number (i.e. 1.0.0b1)'
  required: true
 
+permissions:
+ contents: write # this is the permission that allows creating a new release
+
 defaults:
  run:
  shell: bash

diff --git a/.github/workflows/schema-check.yml b/.github/workflows/schema-check.yml
@@ -21,6 +21,9 @@ on:
  - "*.latest"
  - "releases/*"
 
+# no special access is needed
+permissions: read-all
+
 env:
  LATEST_SCHEMA_PATH: ${{ github.workspace }}/new_schemas
  SCHEMA_DIFF_ARTIFACT: ${{ github.workspace }}//schema_schanges.txt

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,6 +3,10 @@ on:
  schedule:
  - cron: "30 1 * * *"
 
+permissions:
+ issues: write
+ pull-requests: write
+
 jobs:
  stale:
  runs-on: ubuntu-latest

diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -20,6 +20,10 @@ on:
  description: 'The version number to bump to (ex. 1.2.0, 1.3.0b1)'
  required: true
 
+permissions:
+ contents: write
+ pull-requests: write
+
 jobs:
  bump:
  runs-on: ubuntu-latest