diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml index 080db8b..2b4f7f4 100644 --- a/.github/workflows/ci-docs-shim.yaml +++ b/.github/workflows/ci-docs-shim.yaml @@ -8,6 +8,10 @@ on: branches: [main] types: [milestoned, opened, synchronize] +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + jobs: validate: strategy: diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 90a8315..50fe1a5 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -8,6 +8,10 @@ on: branches: [main] types: [milestoned, opened, edited, synchronize] +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + jobs: validate: uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@f0164622ffc2007e96a0e1deaa3f5064db04b148 # v1.1.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 4c67d49..e3994e6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -3,6 +3,10 @@ name: Lint +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + on: # This workflow is triggered on pull requests to the main branch. pull_request: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4d4dbf0..3f16bda 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -26,6 +26,12 @@ on: - CONTRIBUTING.md - SECURITY.md +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + packages: read # Allows reading the content of the repository's packages. + id-token: write + # Abort prior jobs in the same workflow / PR concurrency: group: test-${{ github.ref }}