ci: Add read-all permissions to GitHub workflows

Signed-off-by: Christopher Turner <christopher.g.turner@intel.com>
intel · Mar 6, 2024 · 5dd7bf0 · 5dd7bf0
1 parent 1cb5fd6
commit 5dd7bf0
Show file tree

Hide file tree

Showing 25 changed files with 51 additions and 0 deletions.
diff --git a/.github/workflows/assigner.yml b/.github/workflows/assigner.yml
@@ -11,6 +11,8 @@ on:
     - main
     - v*-branch
 
+permisions: read-all
+
 jobs:
   assignment:
     name: Pull Request Assignment

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   backport:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/backport_issue_check.yml b/.github/workflows/backport_issue_check.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - v*-branch
 
+permissions: read-all
+
 jobs:
   backport:
     name: Backport Issue Check

diff --git a/.github/workflows/bluetooth-tests-publish.yaml b/.github/workflows/bluetooth-tests-publish.yaml
@@ -5,6 +5,9 @@ on:
     workflows: ["Bluetooth Tests"]
     types:
       - completed
+
+permissions: read-all
+
 jobs:
   bluetooth-test-results:
     name: "Publish Bluetooth Test Results"

diff --git a/.github/workflows/bluetooth-tests.yaml b/.github/workflows/bluetooth-tests.yaml
@@ -11,6 +11,8 @@ on:
       - "soc/posix/**"
       - "arch/posix/**"
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/bug_snapshot.yaml b/.github/workflows/bug_snapshot.yaml
@@ -13,6 +13,8 @@ on:
   # Run daily at 14:05
   - cron: '5 14 * * *'
 
+permissions: read-all
+
 jobs:
   make_bugs_pickle:
     name: Make bugs pickle

diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
@@ -4,6 +4,8 @@ on:
   schedule:
     - cron: '25 */3 * * 1-5'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/coding_guidelines.yml b/.github/workflows/coding_guidelines.yml
@@ -2,6 +2,8 @@ name: Coding Guidelines
 
 on: pull_request
 
+permissions: read-all
+
 jobs:
   compliance_job:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -2,6 +2,8 @@ name: Compliance Checks
 
 on: pull_request
 
+permissions: read-all
+
 jobs:
   check_compliance:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/daily_test_version.yml b/.github/workflows/daily_test_version.yml
@@ -10,6 +10,8 @@ on:
     branches:
     - refs/tags/*
 
+permissions: read-all
+
 jobs:
   get_version:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/devicetree_checks.yml b/.github/workflows/devicetree_checks.yml
@@ -20,6 +20,8 @@ on:
     - 'scripts/dts/**'
     - '.github/workflows/devicetree_checks.yml'
 
+permissions: read-all
+
 jobs:
   devicetree-checks:
     name: Devicetree script tests

diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [synchronize, opened, reopened, labeled, unlabeled]
 
+permissions: read-all
+
 jobs:
   do-not-merge:
     if: ${{ contains(github.event.*.labels.*.name, 'DNM') }}

diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml
@@ -24,6 +24,8 @@ on:
     - 'scripts/dts/**'
     - 'scripts/requirements-doc.txt'
 
+permissions: read-all
+
 env:
   # NOTE: west docstrings will be extracted from the version listed here
   WEST_VERSION: 0.14.0

diff --git a/.github/workflows/doc-publish-pr.yml b/.github/workflows/doc-publish-pr.yml
@@ -10,6 +10,8 @@ on:
     types:
     - completed
 
+permissions: read-all
+
 jobs:
   doc-publish:
     name: Publish Documentation

diff --git a/.github/workflows/doc-publish.yml b/.github/workflows/doc-publish.yml
@@ -13,6 +13,8 @@ on:
     types:
     - completed
 
+permissions: read-all
+
 jobs:
   doc-publish:
     name: Publish Documentation

diff --git a/.github/workflows/errno.yml b/.github/workflows/errno.yml
@@ -6,6 +6,8 @@ on:
       - 'lib/libc/minimal/include/errno.h'
       - 'scripts/ci/errno.py'
 
+permissions: read-all
+
 jobs:
   check-errno:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/footprint-tracking.yml b/.github/workflows/footprint-tracking.yml
@@ -13,6 +13,8 @@ on:
       # same commit
       - 'v*'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/footprint.yml b/.github/workflows/footprint.yml
@@ -2,6 +2,8 @@ name: Footprint Delta
 
 on: pull_request
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/issue_count.yml b/.github/workflows/issue_count.yml
@@ -4,6 +4,8 @@ on:
   schedule:
   - cron: '*/10 * * * *'
 
+permissions: read-all
+
 env:
   OUTPUT_FILE_NAME: IssuesReport.md
   COMMITTER_EMAIL: actions@github.com

diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
@@ -2,6 +2,8 @@ name: Scancode
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   scancode_job:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,8 @@ on:
       - 'v*'
       - '!v*rc*'
 
+permissions: read-all
+
 jobs:
   release:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/stale-workflow-queue-cleanup.yml b/.github/workflows/stale-workflow-queue-cleanup.yml
@@ -7,6 +7,8 @@ on:
   # everyday at 15:00
   - cron: '0 15 * * *'
 
+permissions: read-all
+
 concurrency:
   group: stale-workflow-queue-cleanup
   cancel-in-progress: true

diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml
@@ -3,6 +3,8 @@ on:
   schedule:
   - cron: "16 00 * * *"
 
+permissions: read-all
+
 jobs:
   stale:
     name: Find Stale issues and PRs

diff --git a/.github/workflows/twister_tests.yml b/.github/workflows/twister_tests.yml
@@ -23,6 +23,8 @@ on:
     - 'scripts/tests/twister/**'
     - '.github/workflows/twister_tests.yml'
 
+permissions: read-all
+
 jobs:
   twister-tests:
     name: Twister Unit Tests

diff --git a/.github/workflows/west_cmds.yml b/.github/workflows/west_cmds.yml
@@ -21,6 +21,8 @@ on:
     - 'scripts/west_commands/**'
     - '.github/workflows/west_cmds.yml'
 
+permissions: read-all
+
 jobs:
   west-commnads:
     name: West Command Tests