diff --git a/.github/workflows/autopublish.yml b/.github/workflows/autopublish.yml index c9e23f7dfaa3..bf0cb29c1db7 100644 --- a/.github/workflows/autopublish.yml +++ b/.github/workflows/autopublish.yml @@ -10,6 +10,9 @@ concurrency: group: autopublish cancel-in-progress: true +permissions: + contents: read + jobs: autopublish: if: github.repository == 'Homebrew/homebrew-cask' diff --git a/.github/workflows/bump-unversioned-casks.yml b/.github/workflows/bump-unversioned-casks.yml index 3961c8392f34..7ceabbea7297 100644 --- a/.github/workflows/bump-unversioned-casks.yml +++ b/.github/workflows/bump-unversioned-casks.yml @@ -21,6 +21,9 @@ env: HOMEBREW_DEVELOPER: 1 HOMEBREW_NO_AUTO_UPDATE: 1 +permissions: + contents: read + jobs: bump-unversioned-casks: if: startsWith(github.repository, 'Homebrew/') diff --git a/.github/workflows/cache.yml b/.github/workflows/cache.yml index be77fc4546df..91e3062bb0d6 100644 --- a/.github/workflows/cache.yml +++ b/.github/workflows/cache.yml @@ -11,6 +11,9 @@ concurrency: group: cache cancel-in-progress: true +permissions: + contents: read + jobs: update: if: startsWith(github.repository, 'Homebrew/') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fd0afe7c4b1..a515f882616d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,9 @@ concurrency: group: "${{ github.ref }}" cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: generate-matrix: outputs: diff --git a/.github/workflows/dispatch-command.yml b/.github/workflows/dispatch-command.yml index 5bd9b3ce1c8d..6c7507158b84 100644 --- a/.github/workflows/dispatch-command.yml +++ b/.github/workflows/dispatch-command.yml @@ -4,6 +4,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: dispatch-command: if: startsWith(github.repository, 'Homebrew/') diff --git a/.github/workflows/publish-commit-casks.yml b/.github/workflows/publish-commit-casks.yml index 5b53ddf8937f..d6db90e45b5f 100644 --- a/.github/workflows/publish-commit-casks.yml +++ b/.github/workflows/publish-commit-casks.yml @@ -15,6 +15,9 @@ env: HOMEBREW_DEVELOPER: 1 HOMEBREW_NO_AUTO_UPDATE: 1 +permissions: + contents: read + jobs: upload: runs-on: 'ubuntu-latest' diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 027d27d6d86b..9df93469c071 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -4,6 +4,9 @@ on: repository_dispatch: types: [rebase-command] +permissions: + contents: read + jobs: rebase_pull_request: name: Rebase Pull Request diff --git a/.github/workflows/rerun-workflow.yml b/.github/workflows/rerun-workflow.yml index 60f64a600050..cd7e87cf70d5 100644 --- a/.github/workflows/rerun-workflow.yml +++ b/.github/workflows/rerun-workflow.yml @@ -14,6 +14,9 @@ on: schedule: - cron: '30 */3 * * *' # every 3 hours (30 minutes past the hour) +permissions: + contents: read + jobs: rerun-workflow: if: > diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 5e74421ba4cc..324e0e665d94 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -2,6 +2,9 @@ name: Sync labels. on: label +permissions: + contents: read + jobs: sync-labels: if: github.repository == 'Homebrew/homebrew-cask' diff --git a/.github/workflows/sync-templates-and-ci-config.yml b/.github/workflows/sync-templates-and-ci-config.yml index c4c256a9d1a1..ae5d6f8d9e88 100644 --- a/.github/workflows/sync-templates-and-ci-config.yml +++ b/.github/workflows/sync-templates-and-ci-config.yml @@ -10,6 +10,9 @@ concurrency: group: sync-templates-and-ci-config cancel-in-progress: true +permissions: + contents: read + jobs: sync-templates-and-ci-config: if: github.repository == 'Homebrew/homebrew-cask' diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index a5ca61b51c45..57c148234bf6 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -6,6 +6,9 @@ concurrency: group: "triage-${{ github.event.number }}" cancel-in-progress: true +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest