explicitly set permissions for github workflows (#433)

Signed-off-by: Kenny Leung <kleung@chainguard.dev>
sigstore · Feb 23, 2022 · 9864962 · 9864962
1 parent a680618
commit 9864962
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -24,6 +24,10 @@ on:
   schedule:
     - cron: '45 10 * * 1'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
   pull_request:
     branches: [ main, development ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml
@@ -17,6 +17,9 @@ name: Verify-K8s
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   verify-k8s-manifests:
     name: k8s manifest check

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -17,6 +17,9 @@ name: Verify
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: license boilerplate check