chore: fix checkov workflow findings

makandra · Nov 21, 2024 · 4b3ddb8 · 4b3ddb8
1 parent 40f71d8
commit 4b3ddb8
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
@@ -8,16 +8,13 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
 
 jobs:
   scan:
-    permissions:
-      contents: read
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v3
 

diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
@@ -2,10 +2,14 @@ name: Conventional Commits
 
 on:
   pull_request:
+permissions:
+  contents: read
 
 jobs:
   conventional-commits:
     name: Conventional Commits
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
@@ -2,8 +2,11 @@ name: "Semantic-Release"
 on:
   push:
     branches:
-      - master
       - main
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
 
 jobs:
   release:

diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml
@@ -1,10 +1,13 @@
 name: Tflint
 on:
   pull_request:
-
+permissions:
+  contents: read
 
 jobs:
   tflint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix: