reduce default workflow permissions (#77)

spinkube · Apr 2, 2024 · 5f13c4d · 5f13c4d
1 parent a7642a9
commit 5f13c4d
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 0 deletions.
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -1,5 +1,8 @@
 name: Build container image
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:

diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
@@ -4,6 +4,9 @@
 # of the `charts` directory.
 name: Release helm chart
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

diff --git a/.github/workflows/installer-build.yml b/.github/workflows/installer-build.yml
@@ -1,5 +1,8 @@
 name: Build installer image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:

diff --git a/.github/workflows/manager-build.yml b/.github/workflows/manager-build.yml
@@ -1,5 +1,8 @@
 name: Build manager image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,5 +1,7 @@
 name: Generate SBOMs
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:

diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml
@@ -1,5 +1,7 @@
 name: Sign image
 
+permissions: {}
+
 on:
   workflow_call:
     inputs: