From 8171176e3154b417bc528d56af94e39f64db8b36 Mon Sep 17 00:00:00 2001 From: Gagan H R Date: Wed, 11 Mar 2026 21:40:28 +0530 Subject: [PATCH] ci: add top-level permissions to workflow files Add `permissions: contents: read` at the workflow level for bump-libs.yaml, format.yaml, master.yaml, and release.yaml to follow the principle of least privilege. Job-level permissions that require elevated access will override this as expected. Signed-off-by: Gagan H R --- .github/workflows/bump-libs.yaml | 3 +++ .github/workflows/format.yaml | 3 +++ .github/workflows/master.yaml | 3 +++ .github/workflows/release.yaml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/bump-libs.yaml b/.github/workflows/bump-libs.yaml index e4cfecaa..bd8b39da 100644 --- a/.github/workflows/bump-libs.yaml +++ b/.github/workflows/bump-libs.yaml @@ -6,6 +6,9 @@ on: schedule: - cron: '30 6 * * 1' # on each monday 6:30 +permissions: + contents: read + # Checks if any concurrent jobs is running for kernels CI and eventually cancel it. concurrency: group: bump-libs-ci diff --git a/.github/workflows/format.yaml b/.github/workflows/format.yaml index 8e82dda8..ab175c6f 100644 --- a/.github/workflows/format.yaml +++ b/.github/workflows/format.yaml @@ -6,6 +6,9 @@ on: - master - "release/**" +permissions: + contents: read + jobs: format: name: format code 🐲 diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 9f3a1e6e..9fb4a161 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -3,6 +3,9 @@ on: push: branches: [master] +permissions: + contents: read + # Checks if any concurrent jobs is running for master CI and eventually cancel it concurrency: group: ci-master diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 74e3a4da..65204e51 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,9 @@ on: release: types: [published] +permissions: + contents: read + # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: group: ci-release