From f4d89c568504cf56565ad24e08ef9d78987d418f Mon Sep 17 00:00:00 2001 From: Rick Newton-Rogers Date: Thu, 30 Oct 2025 15:49:24 +0000 Subject: [PATCH] Add explicit read permissions to workflows Motivation: * More secure GitHub Actions workflows Modifications: Add explicit 'contents: read' permissions to workflows that did not have explicit permissions defined. This follows GitHub Actions security best practices by limiting the default GITHUB_TOKEN permissions. Result: An extra layer of security. --- .github/workflows/main.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ .github/workflows/pull_request_label.yml | 3 +++ .github/workflows/release_builds.yml | 3 +++ .github/workflows/unit_tests.yml | 3 +++ 5 files changed, 15 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 66197716..1a5c5781 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,8 @@ name: Main +permissions: + contents: read + on: push: branches: [main] diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 69d06afc..1840100b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,5 +1,8 @@ name: PR +permissions: + contents: read + on: pull_request: types: [opened, reopened, synchronize] diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml index 8fd47c13..d2da2f1a 100644 --- a/.github/workflows/pull_request_label.yml +++ b/.github/workflows/pull_request_label.yml @@ -1,5 +1,8 @@ name: PR label +permissions: + contents: read + on: pull_request: types: [labeled, unlabeled, opened, reopened, synchronize] diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml index c5cf40e8..9502968f 100644 --- a/.github/workflows/release_builds.yml +++ b/.github/workflows/release_builds.yml @@ -1,5 +1,8 @@ name: Release builds +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 82976f59..0ad5f4db 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -1,5 +1,8 @@ name: Unit tests +permissions: + contents: read + on: workflow_call: inputs: