ci: add top-level permissions to workflow files

Add `permissions: contents: read` at the workflow level for bump-libs.yaml, format.yaml, master.yaml, and release.yaml to follow the principle of least privilege. Job-level permissions that require elevated access will override this as expected. Signed-off-by: Gagan H R <hrgagan4@gmail.com>
2026-03-18 10:44:27 +00:00 · 2026-03-11 21:40:28 +05:30
parent 6fdb686b7a
commit 8171176e31
4 changed files with 12 additions and 0 deletions
--- a/.github/workflows/bump-libs.yaml
+++ b/.github/workflows/bump-libs.yaml
@@ -6,6 +6,9 @@ on:
  schedule:
    - cron: '30 6 * * 1' # on each monday 6:30

+permissions:
+  contents: read
+
 # Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
 concurrency:
  group: bump-libs-ci
--- a/.github/workflows/format.yaml
+++ b/.github/workflows/format.yaml
@@ -6,6 +6,9 @@ on:
      - master
      - "release/**"

+permissions:
+  contents: read
+
 jobs:
  format:
    name: format code 🐲
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -3,6 +3,9 @@ on:
  push:
    branches: [master]

+permissions:
+  contents: read
+
 # Checks if any concurrent jobs is running for master CI and eventually cancel it
 concurrency:
  group: ci-master
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,6 +3,9 @@ on:
  release:
    types: [published]

+permissions:
+  contents: read
+
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
  group: ci-release