Explicit workflow permissions

hendrikvanantwerpen · hendrikvanantwerpen · commit a6b0f7f6af89 · 2025-03-04T13:52:47.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,11 +1,15 @@
 name: Continuous integration
+
 on:
   push:
     branches: [main]
   pull_request:
   schedule:
     - cron: "0 0 1,15 * *"
 
+permissions:
+  contents: read
+
 # In the event that there is a new push to the ref, cancel any running jobs because there are now obsolete, and wasting resources.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
@@ -1,9 +1,14 @@
 name: Performance testing
+
 on:
   pull_request:
     paths:
       - 'stack-graphs/**'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 # In the event that there is a new push to the ref, cancel any running jobs because there are now obsolete, and wasting resources.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/publish-lsp-positions.yml b/.github/workflows/publish-lsp-positions.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - lsp-positions-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-stack-graphs.yml b/.github/workflows/publish-stack-graphs.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - stack-graphs-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-tree-sitter-stack-graphs-java.yml b/.github/workflows/publish-tree-sitter-stack-graphs-java.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-java-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-tree-sitter-stack-graphs-javascript.yml b/.github/workflows/publish-tree-sitter-stack-graphs-javascript.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-javascript-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-tree-sitter-stack-graphs-python.yml b/.github/workflows/publish-tree-sitter-stack-graphs-python.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-python-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-tree-sitter-stack-graphs-typescript.yml b/.github/workflows/publish-tree-sitter-stack-graphs-typescript.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-typescript-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-tree-sitter-stack-graphs.yml b/.github/workflows/publish-tree-sitter-stack-graphs.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
