ci: add explicit permissions to all workflows - fixes scorecard token-permissions

Signed-off-by: vmfunc <celeste@linux.com>
2026-03-12 21:23:04 -07:00 · 2026-02-13 01:40:22 +01:00
parent e94fda0acf
commit fcf9291653
13 changed files with 47 additions and 0 deletions
--- a/.github/workflows/automatic-rebase.yml
+++ b/.github/workflows/automatic-rebase.yml
@@ -2,6 +2,11 @@ name: automatic rebase
 on:
  issue_comment:
    types: [created]
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  rebase:
    name: Rebase
--- a/.github/workflows/check-large-files.yml
+++ b/.github/workflows/check-large-files.yml
@@ -5,6 +5,9 @@ on:
  push:
    branches: [main]

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/code_quality.yml
+++ b/.github/workflows/code_quality.yml
@@ -6,6 +6,8 @@ on:
    branches:
      - main

+permissions: {}
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -6,6 +6,9 @@ on:
  pull_request:
    branches: ["main"]

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -8,6 +8,9 @@ on:
  schedule:
    - cron: "0 6 * * 1" # monday 06:00 UTC

+permissions:
+  contents: read
+
 jobs:
  govulncheck:
    runs-on: ubuntu-latest
--- a/.github/workflows/header-check.yml
+++ b/.github/workflows/header-check.yml
@@ -8,6 +8,9 @@ on:
    paths:
      - '**.go'

+permissions:
+  contents: read
+
 jobs:
  check-headers:
    runs-on: ubuntu-latest
--- a/.github/workflows/language.yml
+++ b/.github/workflows/language.yml
@@ -12,6 +12,12 @@ on:
    types:
      - created
      - edited
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
  echo_issue_comment:
    runs-on: ubuntu-latest
--- a/.github/workflows/markdown-lint.yml
+++ b/.github/workflows/markdown-lint.yml
@@ -5,6 +5,10 @@ on:
    paths:
      - "**/*.md"

+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
  markdownlint:
    name: runner / markdownlint
--- a/.github/workflows/misspell.yml
+++ b/.github/workflows/misspell.yml
@@ -5,6 +5,10 @@ on:
  push:
    branches: [main]

+permissions:
+  contents: read
+  pull-requests: write
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/reportcard.yml
+++ b/.github/workflows/reportcard.yml
@@ -7,6 +7,9 @@ on:
    branches: [main]
  workflow_call:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/runtest.yml
+++ b/.github/workflows/runtest.yml
@@ -7,6 +7,9 @@ on:
    branches: [main]
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  build-and-test:
    runs-on: ubuntu-latest
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -5,6 +5,10 @@ on:
    paths:
      - "**/*.sh"

+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
  shellcheck:
    name: runner / shellcheck
--- a/.github/workflows/yaml-lint.yml
+++ b/.github/workflows/yaml-lint.yml
@@ -6,6 +6,10 @@ on:
      - "**/*.yml"
      - "**/*.yaml"

+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
  yamllint:
    name: runner / yamllint