Set least privileged token permission for GitHub Actions (fatedier#3155)

ashishkurmi · web-flow · commit da51adc27670 · 2022-10-31T15:46:46.000+08:00
Signed-off-by: Ashish Kurmi &lt;akurmi@stepsecurity.io&gt;
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -9,6 +9,9 @@ on:
         description: 'Image tag'
         required: true
         default: 'test'
+permissions:
+  contents: read
+
 jobs:
   image:
     name: Build Image from Dockerfile and binaries
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -3,6 +3,9 @@ name: goreleaser
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -8,8 +8,14 @@ on:
         description: 'In debug mod'
         required: false
         default: 'false'
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v6
