[gha] Restrict access to read all

hazendaz · hazendaz · commit 953b1a3503e6 · 2025-04-21T13:25:54.000-04:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,6 +2,8 @@ name: Java CI
 
 on: [workflow_dispatch, push, pull_request]
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/site.yaml b/.github/workflows/site.yaml
@@ -5,6 +5,8 @@ on:
     branches:
       - site
 
+permissions: read-all
+
 jobs:
   build:
     if: github.repository_owner == 'mybatis' && ! contains(toJSON(github.event.head_commit.message), '[maven-release-plugin]')
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   build:
     if: github.repository_owner == 'mybatis'
diff --git a/.github/workflows/sonatype.yaml b/.github/workflows/sonatype.yaml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   build:
     if: github.repository_owner == 'mybatis' && ! contains(toJSON(github.event.head_commit.message), '[maven-release-plugin]')
