Permissions on workflows

funfair-tech · Oct 5, 2024 · 99d39d1 · 99d39d1
1 parent 087fdee
commit 99d39d1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   enable-auto-merge-github-actions:
     if: |-

diff --git a/.github/workflows/create-prs-for-stale-branches.yml b/.github/workflows/create-prs-for-stale-branches.yml
@@ -13,13 +13,13 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build-matrix:
     runs-on: [self-hosted, linux, build]
 
-    permissions:
-      contents: read
-
     steps:
       - name: "Initialise Workspace"
         if: startsWith(runner.name, 'buildagent-')

diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml
@@ -12,11 +12,17 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   update-labels-config:
 
     runs-on: [self-hosted, linux, build]
 
+    permissions:
+      issues: write  # for crazy-max/ghaction-github-labeler to create, rename, update
+
     steps:
       - name: "Initialise Workspace"
         if: startsWith(runner.name, 'buildagent-')