chore(gh): update workflow permissions

tenthirtyam · tenthirtyam · commit 99dcff2bf186 · 2025-04-09T10:44:07.000-04:00
Explicitly defines the permissions granted to the `GITHUB_TOKEN` used within the workflows.

By default, the `GITHUB_TOKEN` has broad write access. Limiting these permissions to only what the workflow actually needs.

Signed-off-by: Ryan Johnson &lt;ryan.johnson@broadcom.com&gt;
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,16 +1,17 @@
----
-name: Manage Stale Items
+name: Stale
 
 on:
   schedule:
     - cron: 00 00 * * *
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
     steps:
       - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,8 +1,11 @@
-name: golang-test
+name: Test
 
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   gotest:
     name: gotest
