From 67b33b2942fe4b562f6d1c3280f0fdd709d77f58 Mon Sep 17 00:00:00 2001 From: Derek Bailey Date: Mon, 11 Apr 2022 20:01:00 -0700 Subject: [PATCH] set workflows permissions to read-only (#7239) --- .github/workflows/build.yml | 1 + .github/workflows/codeql.yml | 1 + .github/workflows/label.yml | 2 ++ .github/workflows/main.yml | 2 ++ .github/workflows/stale.yml | 1 + 5 files changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 82186d3c1..1095b1691 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,5 @@ name: CI +permissions: read-all on: push: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a856e54b8..fd38f6ea3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,6 +10,7 @@ # supported CodeQL languages. # name: "CodeQL" +permissions: read-all on: push: diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 53dd4727f..885264290 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -6,6 +6,8 @@ # https://github.com/actions/labeler name: Labeler +permissions: read-all + on: [pull_request_target] jobs: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f8d8bc1fa..7394617c0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,6 @@ name: OSS-Fuzz +permissions: read-all + on: pull_request: branches: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b322b747c..45f011929 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,4 +1,5 @@ name: Mark stale issues and pull requests +permissions: read-all on: schedule: