From 3de532182b63ed7067f8d0d087c3ce92f23aa726 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 3 Oct 2025 15:54:57 -0700 Subject: [PATCH] set explicit permissions for GitHub workflows - all remaining workflows .github/workflows/create_automerge_pr.yml .github/workflows/performance_test.yml .github/workflows/pull_request.yml .github/workflows/swift_package_test.yml Note: `write` permissions were already accurately set at the job level according to best practices. In those cases, it was simply about adding `contents: read` at the very top to be future-proof, as per OpenSSF recommendations. Signed-off-by: Melissa Kilby --- .github/workflows/create_automerge_pr.yml | 4 ++++ .github/workflows/performance_test.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ .github/workflows/swift_package_test.yml | 3 +++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/create_automerge_pr.yml b/.github/workflows/create_automerge_pr.yml index 0c5a39c..ca2e092 100644 --- a/.github/workflows/create_automerge_pr.yml +++ b/.github/workflows/create_automerge_pr.yml @@ -40,6 +40,10 @@ name: Create automerge PR # types: [..., ready_for_review] # ``` # Unfortunately this will also re-trigger testing evenon a normal user's PR (which may have already been tested), but skipping them causes the checks to reset so this is the best we can do for now. + +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/performance_test.yml b/.github/workflows/performance_test.yml index 105e004..dcec832 100644 --- a/.github/workflows/performance_test.yml +++ b/.github/workflows/performance_test.yml @@ -1,5 +1,8 @@ name: Performance test +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1df9e89..32b404a 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,5 +1,8 @@ name: Pull request +permissions: + contents: read + on: pull_request: types: [opened, reopened, synchronize] diff --git a/.github/workflows/swift_package_test.yml b/.github/workflows/swift_package_test.yml index 524d5ca..68125a4 100644 --- a/.github/workflows/swift_package_test.yml +++ b/.github/workflows/swift_package_test.yml @@ -1,5 +1,8 @@ name: Swift Matrix +permissions: + contents: read + on: workflow_call: inputs: