[security] Set explicit permissions for GitHub Actions workflows (#887)

BenjaminPelletier · web-flow · commit c8b4d4651737 · 2025-01-16T11:50:56.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   hygiene-tests:
     name: Repository hygiene
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Job information
diff --git a/.github/workflows/dev-checks.yml b/.github/workflows/dev-checks.yml
@@ -1,4 +1,6 @@
 name: Developers environment checks
+permissions:
+  contents: read
 on:
   pull_request: # All
   push:
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -14,6 +14,8 @@ on:
       # be the one found in scripts/tag.sh.
       # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
       - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
+permissions:
+  contents: read
 jobs:
   docker-hub-push:
     name: Build and Push to Docker Hub
diff --git a/.github/workflows/monitoring-test.yml b/.github/workflows/monitoring-test.yml
@@ -1,5 +1,9 @@
 name: 'Run a monitoring test (re-usable workflow)'
 
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
