diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 92eeb93a..5409c80b 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -8,6 +8,10 @@ on: workflows: ["CI"] types: [completed] +permissions: + contents: write + pull-requests: write + jobs: on-success: if: > diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index e706c6a6..1b41d753 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -10,6 +10,10 @@ on: # Allows this workflow to be run manually from the Actions tab workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: release: name: Create/Update Release Pull Request diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f81a746..53b66ae2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ on: - "*.md" types: [opened, ready_for_review, reopened, synchronize] +permissions: + contents: read + # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 32b4434e..706aff58 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,8 +19,6 @@ on: types: [opened, ready_for_review, reopened, synchronize] permissions: - actions: read - contents: read security-events: write # This allows a subsequently queued workflow run to interrupt previous runs diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index eeeb3177..e9b4664b 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -29,6 +29,9 @@ on: # Allows this workflow to be run manually from the Actions tab workflow_dispatch: +permissions: + contents: read + jobs: link-check: name: Link Check