diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index 5ed0236cc..346cd550f 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: prepare-yarn-cache-ubuntu: uses: ./.github/workflows/prepare-cache.yml @@ -125,6 +128,9 @@ jobs: 'echo "::error file={}::This needs to be regenerated by running \`tools:regenerate-docs\`" && false' release: + permissions: + contents: write # for semantic-release + if: # prettier-ignore ${{ github.event_name == 'push' && (github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/next') }} diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index ac1eb3fde..f0a02e1f1 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -5,8 +5,16 @@ on: - cron: '0 0 * * SUN' workflow_dispatch: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test: + permissions: + contents: read # to fetch code (actions/checkout) + issues: write # to create comment + pull-requests: read # for searching pull requests + runs-on: ubuntu-latest steps: - uses: actions/checkout@v3