From 6ee51ce7637a6a70bd7c95ed20cbefceca862282 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Sun, 2 Feb 2025 13:45:14 +0100
Subject: [PATCH] ci: set contents read as default workflow permissions

---
 .github/workflows/build.yml  | 12 ++++++++++++
 .github/workflows/codeql.yml |  9 +++++++++
 .github/workflows/docs.yml   |  7 +++++++
 .github/workflows/e2e.yml    |  4 ++++
 .github/workflows/labels.yml |  9 +++++++++
 5 files changed, 41 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9660b32c..ef6aa2f3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -143,6 +147,9 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
+    permissions:
+      # required to create GitHub release
+      contents: write
     needs:
       - artifact
       - test
@@ -183,6 +190,11 @@ jobs:
 
   image:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to push to GHCR
+      packages: write
     needs:
       - artifact
       - test
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2673a9b2..795ffd93 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -19,6 +23,11 @@ on:
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required for code scanning
+      security-events: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 6ad8b0b9..18e4cd58 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
@@ -18,6 +22,9 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      # required to push to gh-pages
+      contents: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index bf252a97..0ecd3a02 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 1342d9e6..c0900a88 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -19,6 +23,11 @@ on:
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to update labels
+      issues: write
     steps:
       -
         name: Checkout