diff --git a/.github/workflows/backend-tests.yml b/.github/workflows/backend-tests.yml index a012b0c67..6fd037b7c 100644 --- a/.github/workflows/backend-tests.yml +++ b/.github/workflows/backend-tests.yml @@ -3,6 +3,9 @@ name: "Backend tests" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: withoutpluginsLinux: # run on pushes to any branch diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 90b8ab7e9..a65867f8f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,8 +9,15 @@ on: schedule: - cron: '0 13 * * 1' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest steps: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 047cbb368..37461cf7b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -8,6 +8,9 @@ on: - 'v?[0-9]+.[0-9]+.[0-9]+' env: TEST_TAG: etherpad/etherpad:test +permissions: + contents: read + jobs: docker: runs-on: ubuntu-latest diff --git a/.github/workflows/lint-package-lock.yml b/.github/workflows/lint-package-lock.yml index 7c20dd8cc..dcbde7cee 100644 --- a/.github/workflows/lint-package-lock.yml +++ b/.github/workflows/lint-package-lock.yml @@ -3,6 +3,9 @@ name: "Lint" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: lint-package-lock: # run on pushes to any branch diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml index d196b3ebb..6e986a8b5 100644 --- a/.github/workflows/load-test.yml +++ b/.github/workflows/load-test.yml @@ -3,6 +3,9 @@ name: "Loadtest" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: withoutplugins: # run on pushes to any branch diff --git a/.github/workflows/rate-limit.yml b/.github/workflows/rate-limit.yml index 893830464..a4e0d28fb 100644 --- a/.github/workflows/rate-limit.yml +++ b/.github/workflows/rate-limit.yml @@ -3,6 +3,9 @@ name: "rate limit" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: ratelimit: # run on pushes to any branch diff --git a/.github/workflows/upgrade-from-latest-release.yml b/.github/workflows/upgrade-from-latest-release.yml index 67251dc77..2c04faeff 100644 --- a/.github/workflows/upgrade-from-latest-release.yml +++ b/.github/workflows/upgrade-from-latest-release.yml @@ -3,6 +3,9 @@ name: "Upgrade from latest release" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: withpluginsLinux: # run on pushes to any branch diff --git a/.github/workflows/windows-zip.yml b/.github/workflows/windows-zip.yml index f2a22e3ef..2512b3134 100644 --- a/.github/workflows/windows-zip.yml +++ b/.github/workflows/windows-zip.yml @@ -3,6 +3,9 @@ name: "Windows Zip" # any branch is useful for testing before a PR is submitted on: [push, pull_request] +permissions: + contents: read + jobs: build: # run on pushes to any branch @@ -52,6 +55,8 @@ jobs: deploy: # run on pushes to any branch # run on PRs from external forks + permissions: + contents: none if: | (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)