ci: Add GitHub token permissions for workflows (DefinitelyTyped#61065)

Signed-off-by: Varun Sharma <[email protected]>
andyGallagher · Jul 5, 2022 · dc991ec · dc991ec
1 parent 3fe008f
commit dc991ec
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -1,6 +1,9 @@
 name: CI
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/UpdateCodeowners.yml b/.github/workflows/UpdateCodeowners.yml
@@ -10,6 +10,9 @@ on:
     - cron: "5 8 * * 1"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/ghostbuster.yml b/.github/workflows/ghostbuster.yml
@@ -11,8 +11,14 @@ on:
         required: false
         default: "false"
 
+permissions:
+  contents: read
+
 jobs:
   ghostbust:
+    permissions:
+      contents: write  # for Git to git push
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     if: github.repository == 'DefinitelyTyped/DefinitelyTyped'
 

diff --git a/.github/workflows/lint-md.yml b/.github/workflows/lint-md.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     paths:
       - '**.md'
+permissions:
+  contents: read
+
 jobs:
   lint-md:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/support-window.yml b/.github/workflows/support-window.yml
@@ -10,8 +10,13 @@ on:
   # Manually, when TypeScript is released
   # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   support-window:
+    permissions:
+      contents: write  # for Git to git push
     if: github.repository == 'DefinitelyTyped/DefinitelyTyped'
     runs-on: ubuntu-latest
     steps: