Harden default permissions of GH actions ( - Fixes #39 - )

reactive-firewall · reactive-firewall · commit cdba8ce61c8b · 2024-07-11T00:13:22.000-07:00
diff --git a/.github/workflows/Labeler.yml b/.github/workflows/Labeler.yml
@@ -4,6 +4,9 @@ on:
     types: [opened, reopened]
     branches: [ master, stable ]
 
+# Declare default permissions as none.
+permissions: none
+
 jobs:
   triage:
     permissions:
diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml
@@ -7,6 +7,9 @@ on:
     tags:
       - v*
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   BUILD:
     if: github.repository == 'reactive-firewall/python-repo'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '17 5 * * 1'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
