From e26911f403c8c462848af72db2122adbcc533808 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Tue, 29 Oct 2024 18:48:42 +0100 Subject: [PATCH] ci: keep contents read permissions in jobs Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ .github/workflows/codeql.yml | 1 + .github/workflows/labeler.yml | 3 +++ 3 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 229cbb9f..b0bf2112 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -227,6 +227,8 @@ jobs: govulncheck: runs-on: ubuntu-24.04 permissions: + # same as global permission + contents: read # required to write sarif report security-events: write steps: @@ -372,6 +374,8 @@ jobs: runs-on: ubuntu-24.04 if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }} permissions: + # same as global permission + contents: read # required to write sarif report security-events: write needs: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe687f9a..9631b1b3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,6 +23,7 @@ jobs: codeql: runs-on: ubuntu-24.04 permissions: + contents: read actions: read security-events: write steps: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index a5bff97e..c1b73a15 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -20,6 +20,9 @@ jobs: labeler: runs-on: ubuntu-latest permissions: + # same as global permission + contents: read + # required for writing labels pull-requests: write steps: -