From 364d36d0e48e8de12455c56cecb03a167eb11d66 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 10 Oct 2025 16:24:04 -0700 Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby --- .github/workflows/auto_update_version.yml | 3 +++ .github/workflows/automerge.yml | 2 ++ .github/workflows/publish_release.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ 4 files changed, 11 insertions(+) diff --git a/.github/workflows/auto_update_version.yml b/.github/workflows/auto_update_version.yml index ab61a9a5f..e449f245b 100644 --- a/.github/workflows/auto_update_version.yml +++ b/.github/workflows/auto_update_version.yml @@ -1,5 +1,8 @@ name: Update PrintVersion on release branch creation +permissions: + contents: read + on: create: branches: diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 7c65edeef..a781884bd 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -1,6 +1,8 @@ name: Create PR to merge main into release branch # In the first period after branching the release branch, we typically want to include all changes from `main` also in the release branch. This workflow automatically creates a PR every Monday to merge main into the release branch. # Later in the release cycle we should stop this practice to avoid landing risky changes by disabling this workflow. To do so, disable the workflow as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow +permissions: + contents: read on: schedule: - cron: '0 9 * * MON' diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml index 3635c0eaa..4af70cff5 100644 --- a/.github/workflows/publish_release.yml +++ b/.github/workflows/publish_release.yml @@ -1,5 +1,8 @@ name: Publish Release +permissions: + contents: read + on: workflow_dispatch: inputs: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 969b98061..1e13e6345 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -3,6 +3,9 @@ name: Pull request # PRs created by GitHub Actions don't kick off further actions (https://github.com/peter-evans/create-pull-request/blob/d57e551ebc1a16dee0b8c9ea6d24dba7627a6e35/docs/concepts-guidelines.md#triggering-further-workflow-runs). # As a workaround, we mark automerge PRs that are created by GitHub actions as draft and trigger the GitHub actions by marking the PR as ready for review. We'd prefer not re-triggering testing on a normal user's PR in this case, but skipping them causes the checks to reset. +permissions: + contents: read + on: pull_request: types: [opened, reopened, synchronize, ready_for_review]