ci: fix excessive token permissions -- again

PR rook#14473 tried to improve the token-permissions score of the OpenSSF scorecard report. https://scorecard.dev/viewer/?uri=github.com/rook/rook The latest scorecard run however shows that this score has not improved. It still shows two warbnings about missing top level permissions. The rest looks good (just Info entries). This change aims at finally improving the token-permissions score by adding top level permissions to the two warned-about workflow files. Signed-off-by: Michael Adam <obnox@samba.org>
red-hat-storage · Aug 12, 2024 · 2d29297 · 2d29297
1 parent cb1ea8c
commit 2d29297
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/.github/workflows/canary-integration-test.yml b/.github/workflows/canary-integration-test.yml
@@ -13,6 +13,9 @@ defaults:
     # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
     shell: bash --noprofile --norc -eo pipefail -x {0}
 
+permissions:
+  contents: read
+
 jobs:
   canary:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/integration-test-keystone-auth-suite.yaml b/.github/workflows/integration-test-keystone-auth-suite.yaml
@@ -13,6 +13,9 @@ defaults:
     # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
     shell: bash --noprofile --norc -eo pipefail -x {0}
 
+permissions:
+  contents: read
+
 # cancel the in-progress workflow when PR is refreshed.
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}