ci: fix workflow permissions

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-10-29 09:48:47 +01:00 · 2024-10-29 09:48:47 +01:00 · 6b2dc8ce56
parent 181348397c
commit 6b2dc8ce56
4 changed files with 9 additions and 8 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -229,8 +229,6 @@ jobs:
    permissions:
      # required to write sarif report
      security-events: write
-      # required to check out the repository
-      contents: read
    steps:
      -
        name: Checkout
@ -404,6 +402,9 @@ jobs:

  release:
    runs-on: ubuntu-24.04
+    permissions:
+      # required to create GitHub release
+      contents: write
    needs:
      - test-integration
      - test-unit
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -21,12 +21,10 @@ env:

 jobs:
  codeql:
+    runs-on: ubuntu-24.04
    permissions:
      actions: read
-      contents: read
      security-events: write
-
-    runs-on: ubuntu-24.04
    steps:
      -
        name: Checkout
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@ -23,6 +23,9 @@ jobs:
  open-pr:
    runs-on: ubuntu-24.04
    if: ${{ (github.event.release.prerelease != true || github.event.inputs.tag != '') && github.repository == 'docker/buildx' }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      -
        name: Checkout docs repo
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -18,10 +18,9 @@ on:

 jobs:
  labeler:
-    permissions:
-      contents: read
-      pull-requests: write
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
      -
        name: Run