🔒 Give initial script enough permissions for subscripts

shnizzedy · shnizzedy · commit bb03257230cb · 2025-04-17T11:18:22.000-04:00
diff --git a/.github/workflows/build_C-PAC.yml b/.github/workflows/build_C-PAC.yml
@@ -1,6 +1,13 @@
 name: Build C-PAC image
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   workflow_call:
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -17,9 +17,13 @@
 name: Build and test C-PAC
 
 permissions:
+  checks: write
   contents: read
+  deployments: write
+  issues: write
   packages: write
-  pull-requests: read
+  pull-requests: write
+  statuses: write
 
 on:
   workflow_call:
diff --git a/.github/workflows/deploy_to_Docker_Hub.yml b/.github/workflows/deploy_to_Docker_Hub.yml
@@ -1,6 +1,13 @@
 name: Deploy to Docker Hub
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   workflow_call:
diff --git a/.github/workflows/on_push.yml b/.github/workflows/on_push.yml
@@ -16,7 +16,14 @@
 # License along with C-PAC. If not, see <https://www.gnu.org/licenses/>.
 name: Build and test C-PAC
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   push:
diff --git a/.github/workflows/regression_test_full.yml b/.github/workflows/regression_test_full.yml
@@ -1,6 +1,13 @@
 name: Run Regression Full Test
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   workflow_call:
diff --git a/.github/workflows/regression_test_lite.yml b/.github/workflows/regression_test_lite.yml
@@ -1,6 +1,13 @@
 name: Launch lite regression test
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   pull_request:
diff --git a/.github/workflows/smoke_test_participant.yml b/.github/workflows/smoke_test_participant.yml
@@ -16,7 +16,14 @@
 # License along with C-PAC. If not, see <https://www.gnu.org/licenses/>.
 name: Run participant smoke test
 
-permissions: read-all
+permissions:
+  checks: write
+  contents: read
+  deployments: write
+  issues: write
+  packages: write
+  pull-requests: write
+  statuses: write
 
 on:
   workflow_call:
