build: harden workflow permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
2022-09-25 17:24:06 +02:00 · 2022-09-25 17:24:06 +02:00 · 9074ad93c6
parent fae24d86f5
commit 9074ad93c6
3 changed files with 9 additions and 0 deletions
--- a/.github/workflows/cygwin.yml
+++ b/.github/workflows/cygwin.yml
@ -18,6 +18,9 @@ on:
      - ".github/workflows/cygwin.yml"
      - "run*tests.py"

+permissions:
+  contents: read
+
 jobs:
  test:
    runs-on: windows-latest
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@ -23,6 +23,9 @@ on:
  schedule:
    - cron: '0 0 * * 0'

+permissions:
+  contents: read
+
 jobs:
  build:
    # do not run the weekly scheduled job in a fork
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@ -19,6 +19,9 @@ on:
    types:
      - published

+permissions:
+  contents: write # for release creation (svenstaro/upload-release-action)
+
 # This job is copy/paster into wrapdb CI, please update it there when doing any
 # change here.
 jobs: