Added default WF permission to read-only

soumeh01 · soumeh01 · commit f64c0b4cb2f1 · 2025-05-12T11:44:15.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,8 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+# Declare default permissions as read only
+permissions: read-all
 
 jobs:
   build:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,11 +8,8 @@ on:
     branches:
       - main
 
-permissions:
-  actions: read
-  checks: write
-  contents: read
-  security-events: write
+# Declare default permissions as read only
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,6 +19,11 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
+      security-events: write
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Declare default permissions as read only
+permissions: read-all
+
 jobs:
   linter:
     name: Lint Markdown Files
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -16,8 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+# Declare default permissions as read only
+permissions: read-all
 
 jobs:
   build:
diff --git a/.github/workflows/tpip.yml b/.github/workflows/tpip.yml
@@ -16,8 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+# Declare default permissions as read only
+permissions: read-all
 
 jobs:
   report:
