chore: Set permissions for GitHub actions (#8550)

neilnaveen · web-flow · commit f135bfa3e53b · 2022-07-04T15:12:32.000-04:00
Restrict the GitHub token permissions only to just what is required and make them read-only where possible.

Signed-off-by: neilnaveen &lt;42328488+neilnaveen@users.noreply.github.com&gt;
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
@@ -8,8 +8,13 @@ on:
 env:
   CI: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cli:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     runs-on: macos-11
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
