Skip to content

Commit 39b8986

Browse files
authored
security(workflows): only set write permissions inside jobs (#975)
1 parent 1145c82 commit 39b8986

File tree

3 files changed

+6
-8
lines changed

3 files changed

+6
-8
lines changed

.github/workflows/dotnetcore.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,6 @@
11
# For details of what checks are run for PRs please refer below
22
name: .NET Core CI
3-
4-
permissions:
5-
contents: read
3+
permissions: read-all
64

75
on: [pull_request, workflow_dispatch]
86

.github/workflows/issue-label-triage.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,13 @@
11
# https://docs.github.com/en/actions/managing-issues-and-pull-requests/adding-labels-to-issues
22

33
name: Label issues
4+
permissions: read-all
5+
46
on:
57
issues:
68
types:
79
- reopened
810
- opened
9-
permissions:
10-
contents: read
11-
1211
jobs:
1312
label_issues:
1413
runs-on: ubuntu-latest

.github/workflows/release.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,7 @@
1818
# make sure the correct branch is selected. It will default to the default
1919
# branch.
2020
name: Release
21-
permissions:
22-
contents: write
21+
permissions: read-all
2322

2423
on:
2524
workflow_dispatch
@@ -28,6 +27,8 @@ jobs:
2827
release:
2928
name: Release
3029
runs-on: ubuntu-latest
30+
permissions:
31+
contents: write
3132
timeout-minutes: 30
3233
steps:
3334
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

0 commit comments

Comments
 (0)