diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2b7ff04..95b10d07 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,10 @@ on: branches: [ main ] permissions: + contents: read pull-requests: write + actions: read + statuses: write jobs: build: @@ -78,5 +81,3 @@ jobs: wait-on: "http://localhost:3000" wait-on-timeout: 120 run: npm run cypress:run - - diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d3dfacbb..2b9cdc7e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,12 @@ on: schedule: - cron: '25 10 * * 1' +permissions: + security-events: write + contents: read + actions: read + statuses: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index aa041d99..a606b49a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -8,6 +8,10 @@ permissions: jobs: dependency-review: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: - name: 'Checkout Repository' uses: actions/checkout@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 69c2ecd5..82d14da9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,11 @@ name: Code Cleanliness on: [pull_request] +permissions: + contents: read + pull-requests: none + actions: read + env: # environment variables (available in any part of the action) NODE_VERSION: 18 @@ -26,4 +31,4 @@ jobs: - name: Code Linting run: | npm run lint - npm run lint --workspaces --if-present \ No newline at end of file + npm run lint --workspaces --if-present diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index 44a3c4a7..84a55bfb 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -2,6 +2,11 @@ name: Publish to NPM on: release: types: [published] + +permissions: + contents: read + actions: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3237b90d..528992cb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,8 +14,10 @@ on: push: branches: [ "main" ] -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read + security-events: write + id-token: write jobs: analysis: