Add permissions to workflows executed by CI (#13809)

2025-09-16 08:26:31 +02:00 · 2025-09-15 11:31:41 +02:00
parent 89cf0b5499
commit 7d3638df81
4 changed files with 25 additions and 0 deletions
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -19,6 +19,7 @@ jobs:
  check-is-fork:
    name: Check if running in a fork
    runs-on: ubuntu-latest
+    permissions: {}
    outputs:
      is-fork: ${{ steps.check.outputs.is-fork }}
    steps:
@@ -30,6 +31,10 @@ jobs:
  release-pr:
    runs-on: ubuntu-latest
    needs: check-is-fork
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
    if: |
      github.event_name != 'push' &&
      needs.check-is-fork.outputs.is-fork != 'true'
@@ -49,6 +54,8 @@ jobs:
  version-bump:
    runs-on: ubuntu-latest
    needs: release-pr
+    permissions:
+      contents: write
    if: |
      github.event_name != 'push' &&
      needs.release-pr.outputs.did-create-pr == 'true'
--- a/.github/workflows/merge-release.yml
+++ b/.github/workflows/merge-release.yml
@@ -7,6 +7,8 @@ jobs:
  release:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'release')
+    permissions:
+      pull-requests: write
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,8 @@ jobs:
  sanity-check:
    name: Pre-publish checks
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v5
@@ -30,6 +32,7 @@ jobs:
    needs: sanity-check
    runs-on: ubuntu-latest
    permissions:
+      contents: read
      id-token: write # for OIDC authentication
    steps:
      - name: Checkout
@@ -58,6 +61,8 @@ jobs:
    name: GitHub release
    needs: sanity-check
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token
@@ -108,6 +113,8 @@ jobs:
    name: Trigger simple-icons-font release
    needs: npm
    runs-on: ubuntu-latest
+    permissions:
+      actions: write
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token
@@ -125,6 +132,8 @@ jobs:
    name: Trigger simpleicons.org website update
    needs: npm
    runs-on: ubuntu-latest
+    permissions:
+      actions: write
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -9,6 +9,7 @@ jobs:
  check-is-fork:
    name: Check if running in a fork
    runs-on: ubuntu-latest
+    permissions: {}
    outputs:
      is-fork: ${{ steps.check.outputs.is-fork }}
    steps:
@@ -22,6 +23,12 @@ jobs:
    needs: check-is-fork
    if: needs.check-is-fork.outputs.is-fork != 'true'
    timeout-minutes: 15
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      checks: write
+      statuses: write
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token