Token permissions (#1580)

pnacht · web-flow · commit 504b5a67aec3 · 2025-01-16T17:23:47.000-08:00
* Run continuous_integration.yml with read-only permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht &lt;pnacht@google.com&gt;

* Future-proof other workflow tokens

Signed-off-by: Pedro Kaj Kjellerup Nacht &lt;pnacht@google.com&gt;

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht &lt;pnacht@google.com&gt;
diff --git a/.github/workflows/auto-assignment.yaml b/.github/workflows/auto-assignment.yaml
@@ -8,12 +8,13 @@ on:
 
 permissions:
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   welcome:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/github-script@v6
diff --git a/.github/workflows/continuous_integration.yml b/.github/workflows/continuous_integration.yml
@@ -5,6 +5,9 @@ on:
     branches: [master]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   black:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-issues-pr.yml b/.github/workflows/stale-issues-pr.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
