From e16e24a7d136a1fb70f34f60a4fa0d2708c98d2f Mon Sep 17 00:00:00 2001 From: Anton Belodedenko <2033996+ab77@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:35:14 -0800 Subject: [PATCH] Explicitly set GH_TOKEN permissions change-type: patch --- .github/workflows/flowzone.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index 77baf00..2870198 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -7,6 +7,28 @@ on: pull_request_target: types: [opened, synchronize, closed] branches: [main, master] + +# Base permissions required by Flowzone +# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions +permissions: + actions: none + attestations: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + discussions: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + # Additional permissions needed by this repo, such as: + packages: write # Allow Flowzone to publish to ghcr.io + jobs: flowzone: name: Flowzone