fix: no workflow default permissions (#30)

statnett · Oct 10, 2023 · e4fac84 · e4fac84
1 parent 30e8f56
commit e4fac84
Show file tree

Hide file tree

Showing 7 changed files with 9 additions and 21 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,15 +1,14 @@
 ---
 name: CI
-
 on:
   pull_request: {}
   push:
     branches:
       - main
-
 concurrency:
   group: ci-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
+
 permissions:
   contents: read
 jobs:

diff --git a/.github/workflows/clean-ghcr.yaml b/.github/workflows/clean-ghcr.yaml
@@ -1,6 +1,5 @@
 ---
 name: Delete Obsolete GHCR Images
-
 on:
   workflow_call:
     inputs:
@@ -21,8 +20,7 @@ on:
           You need to pass a (classic) personal access token (PAT) with access to the container registry.
           Specifically, you need to grant it the following scopes: read:packages and delete:packages.
 
-permissions:
-  contents: read
+permissions: {}
 jobs:
   clean-ghcr:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -1,6 +1,5 @@
 ---
-name: "CodeQL"
-
+name: CodeQL
 on:
   workflow_call:
     inputs:
@@ -12,12 +11,11 @@ on:
           Use only 'java-kotlin' to analyze code written in Java, Kotlin or both.
           Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both.
           Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
 concurrency:
   group: codeql-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
-permissions:
-  contents: read
+
+permissions: {}
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/lint-pr.yaml b/.github/workflows/lint-pr.yaml
@@ -1,6 +1,5 @@
 ---
 name: Lint PR
-
 on:
   workflow_call: {}
   pull_request_target:
@@ -9,8 +8,7 @@ on:
       - edited
       - synchronize
 
-permissions:
-  contents: read
+permissions: {}
 jobs:
   pr-title-lint:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -1,6 +1,5 @@
 ---
 name: Release Please
-
 on:
   workflow_call:
     inputs:
@@ -35,8 +34,7 @@ on:
         description: sha that a GitHub release was tagged at
         value: ${{ jobs.release-please.outputs.sha }}
 
-permissions:
-  contents: read
+permissions: {}
 jobs:
   release-please:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,8 +6,7 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 jobs:
   release-please:
     uses: ./.github/workflows/release-please.yaml

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -1,6 +1,5 @@
 ---
 name: Scorecard supply-chain security
-
 on:
   workflow_call: {}
   # For Branch-Protection check. Only the default branch is supported. See
@@ -14,8 +13,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 jobs:
   analysis:
     name: Scorecard analysis