Merge pull request #1970 from pi-hole/gha-perms

Add explicit permission to workflows

Author: PromoFaux

.github/workflows/build-and-publish.yml

@@ -8,6 +8,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+  packages: write
 
 env:
   dockerhub: ${{ secrets.DOCKERHUB_NAMESPACE }}/pihole

.github/workflows/build-and-test.yml

@@ -2,6 +2,9 @@ name: Build Image and Test
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ${{ matrix.runner }}

.github/workflows/codespell.yml

@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
+permissions:
+  contents: read
+
 jobs:
   spell-check:
     if: github.event.pull_request.draft == false

.github/workflows/editorconfig.yml

@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
+permissions:
+  contents: read
+
 jobs:
   editorconfig-checker:
     if: github.event.pull_request.draft == false

.github/workflows/housekeeping.yml

@@ -4,6 +4,9 @@ on:
     schedule:
         - cron: "0 0 * * *"
 
+permissions:
+  packages: write
+
 jobs:
     housekeeping:
         runs-on: ubuntu-latest

.github/workflows/merge-conflict.yml

@@ -8,6 +8,10 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     runs-on: ubuntu-latest

.github/workflows/stale.yml

@@ -6,6 +6,10 @@ on:
   workflow_dispatch:
   issue_comment:
 
+permissions:
+  issues: write
+  pull-requests: write
+
 env:
   stale_label: stale
 

.github/workflows/sync-back-to-dev.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - master
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   sync-branches:
     runs-on: ubuntu-latest