diff --git a/.github/workflows/build-multi-stage.yaml b/.github/workflows/build-multi-stage.yaml index c0e83a07c..9b312a296 100644 --- a/.github/workflows/build-multi-stage.yaml +++ b/.github/workflows/build-multi-stage.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: codespell: name: multi-arch-build diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml index 8dd40f6c2..29e4711d9 100644 --- a/.github/workflows/codespell.yaml +++ b/.github/workflows/codespell.yaml @@ -7,6 +7,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: codespell: name: codespell diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 60aa16efe..05338adac 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: commitlint: name: commitlint diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index dbd97026c..17c3a685e 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: go-test: name: go-test diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index bf7c5ee16..37ac0b376 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: golangci-lint: name: golangci-lint diff --git a/.github/workflows/lint-extras.yaml b/.github/workflows/lint-extras.yaml index ee6b647fd..23afffa16 100644 --- a/.github/workflows/lint-extras.yaml +++ b/.github/workflows/lint-extras.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: lint-extras: name: lint-extras diff --git a/.github/workflows/mod-check.yaml b/.github/workflows/mod-check.yaml index d6e5b1a74..10e22d783 100644 --- a/.github/workflows/mod-check.yaml +++ b/.github/workflows/mod-check.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: - '*' +permissions: + contents: read + jobs: mod-check: name: mod-check diff --git a/.github/workflows/publish-artifacts.yaml b/.github/workflows/publish-artifacts.yaml index bb31d2900..b5a53c4b1 100644 --- a/.github/workflows/publish-artifacts.yaml +++ b/.github/workflows/publish-artifacts.yaml @@ -9,6 +9,9 @@ on: - devel # Push events to branches matching refs/heads/release-v* - 'release-v*' +permissions: + contents: read + jobs: push: name: Publish artifacts diff --git a/.github/workflows/retest.yml b/.github/workflows/retest.yaml similarity index 93% rename from .github/workflows/retest.yml rename to .github/workflows/retest.yaml index 0ff69338b..3299e0dcb 100644 --- a/.github/workflows/retest.yml +++ b/.github/workflows/retest.yaml @@ -5,6 +5,10 @@ on: schedule: # Run the retest action every 30 minutes - cron: "30 * * * *" + +permissions: + contents: read + jobs: retest: runs-on: ubuntu-latest diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 7fbfaa013..07c8e7ae2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -7,8 +7,14 @@ on: # Run the stalebot every day at 9pm UTC - cron: "00 21 * * *" # yamllint disable rule:line-length +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-18.04 if: github.repository == 'ceph/ceph-csi' steps: diff --git a/.github/workflows/test-retest-action.yaml b/.github/workflows/test-retest-action.yaml index 6adba100e..3d732370d 100644 --- a/.github/workflows/test-retest-action.yaml +++ b/.github/workflows/test-retest-action.yaml @@ -5,6 +5,9 @@ on: pull_request: branches: [devel] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest