diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f825781bd0..3dc1c7d27c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,6 +165,8 @@ jobs: continue-on-error: true macOS: + permissions: + contents: none runs-on: macos-10.15 needs: Fetch-Source strategy: diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 2fb5a77008..1a478635c5 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -21,6 +21,9 @@ concurrency: group: check-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: check: runs-on: ubuntu-18.04 diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 4c2e610758..104e65aa55 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -19,6 +19,9 @@ concurrency: group: docs-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build-html: runs-on: ubuntu-latest diff --git a/.github/workflows/docker_linux.yml b/.github/workflows/docker_linux.yml index 422bb841fd..85810b3baa 100644 --- a/.github/workflows/docker_linux.yml +++ b/.github/workflows/docker_linux.yml @@ -34,6 +34,9 @@ concurrency: group: docker-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: # Push image to GitHub Packages. push: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index df35b1b7fd..58c6007d22 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,8 +6,14 @@ concurrency: group: lint-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: + permissions: + contents: read # for actions/checkout to fetch code + statuses: write # for github/super-linter to mark status of each linter run name: Lint runs-on: ubuntu-latest steps: