CodeQL: fix "Workflow does not contain permissions" warnings

robomics · robomics · commit a6da66b4a51b · 2025-01-13T19:06:05.000+01:00
diff --git a/.github/workflows/build-dockerfile.yml b/.github/workflows/build-dockerfile.yml
@@ -43,6 +43,10 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  packages: ${{ github.event_name == 'pull_request' && 'read' || 'write' }}
+
 jobs:
   cache-test-datasets:
     name: Cache test dataset
@@ -52,9 +56,6 @@ jobs:
     name: Build Dockerfile
     needs: [cache-test-datasets]
     runs-on: ubuntu-latest
-    permissions:
-      contents: "read"
-      packages: "write"
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -39,6 +39,10 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  attestations: write
+  contents: read
+
 jobs:
   build-package:
     name: Build package distribution
diff --git a/.github/workflows/cache-test-datasets.yml b/.github/workflows/cache-test-datasets.yml
@@ -15,6 +15,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 env:
   TEST_MCOOL_NAME: 4DNFI9GMP2J8.mcool
   TEST_MCOOL_URL: "https://zenodo.org/records/14616548/files/4DNFI9GMP2J8.stripepy.mcool?download=1"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,6 +33,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   matrix-factory:
     name: Generate job matrix
diff --git a/.github/workflows/lint-cff.yml b/.github/workflows/lint-cff.yml
@@ -25,6 +25,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint-cff:
     runs-on: ubuntu-latest
