diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 27969aea2..862d2a120 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -8,8 +8,7 @@ on: # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. -permissions: - contents: read +permissions: {} jobs: backport: diff --git a/.github/workflows/blocked-prs.yml b/.github/workflows/blocked-prs.yml index 4e4285260..fa00646e2 100644 --- a/.github/workflows/blocked-prs.yml +++ b/.github/workflows/blocked-prs.yml @@ -14,6 +14,8 @@ on: required: true type: number +permissions: {} + jobs: blocked_status: name: Check Blocked Status diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 26bd5473f..7b1375bc4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,8 @@ on: type: string default: Debug +permissions: {} + jobs: build: name: Build (${{ matrix.artifact-name }}) @@ -31,6 +33,7 @@ jobs: environment: ${{ inputs.environment || '' }} permissions: + contents: read # Required for Azure Trusted Signing id-token: write # Required for vcpkg binary cache diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f556d20bb..ce602b4d3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,10 +10,16 @@ on: pull_request: workflow_dispatch: +permissions: {} + jobs: CodeQL: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - name: Checkout repository uses: actions/checkout@v6 diff --git a/.github/workflows/merge-blocking-pr.yml b/.github/workflows/merge-blocking-pr.yml index 57c9cf21e..5c6357430 100644 --- a/.github/workflows/merge-blocking-pr.yml +++ b/.github/workflows/merge-blocking-pr.yml @@ -11,6 +11,8 @@ on: required: true type: number +permissions: {} + jobs: update-blocked-status: name: Update Blocked Status diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 2035668f4..3ddb96aa7 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -66,8 +66,7 @@ on: - ".github/workflows/nix.yml" workflow_dispatch: -permissions: - contents: read +permissions: {} env: DEBUG: ${{ github.ref_type != 'tag' }} @@ -76,6 +75,9 @@ jobs: build: name: Build (${{ matrix.system }}) + permissions: + contents: read + strategy: fail-fast: false matrix: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 50707933b..1bb1c5b50 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,13 +4,15 @@ on: release: types: [ released ] -permissions: - contents: read +permissions: {} jobs: winget: name: Winget + permissions: + contents: read + runs-on: ubuntu-slim steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 093bac083..c68c5bc93 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,18 @@ on: tags: - "*" +permissions: {} + jobs: build_release: name: Build Release uses: ./.github/workflows/build.yml + permissions: + contents: read + # Required for Azure Trusted Signing + id-token: write + # Required for vcpkg binary cache + packages: write with: build-type: Release environment: Release @@ -16,6 +24,8 @@ jobs: create_release: needs: build_release + permissions: + contents: write runs-on: ubuntu-slim outputs: upload_url: ${{ steps.create_release.outputs.upload_url }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0447a7d25..7963c3efe 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,6 +6,8 @@ on: - cron: "0 0 * * 0" workflow_dispatch: +permissions: {} + jobs: label: name: Label issues and PRs diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml index 92886728a..e3d77b804 100644 --- a/.github/workflows/update-flake.yml +++ b/.github/workflows/update-flake.yml @@ -6,13 +6,16 @@ on: - cron: "0 0 * * 0" workflow_dispatch: -permissions: - contents: write - pull-requests: write +permissions: {} jobs: update-flake: if: github.repository == 'PrismLauncher/PrismLauncher' + + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-slim steps: