Limit token permissions in GitHub workflows (#440)

See ea7e27ed41/docs/checks.md (token-permissions)
2025-11-26 17:09:10 +08:00 · 2024-11-13 19:01:45 -07:00
parent af45dcfe3c
commit 07e0f1c008
29 changed files with 129 additions and 17 deletions
--- a/.github/workflows/demo-pr-build-scan-comment.yml
+++ b/.github/workflows/demo-pr-build-scan-comment.yml
@@ -4,7 +4,7 @@ on:
    types: [assigned, review_requested]

 permissions:
-  pull-requests: write
+  contents: read

 jobs:
  build-distribution:
@@ -16,6 +16,8 @@ jobs:
      uses: ./.github/actions/build-dist

  successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
@@ -34,6 +36,8 @@ jobs:
      run: ./gradlew build --scan

  successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
@@ -52,6 +56,8 @@ jobs:
      run: ./gradlew build --scan

  failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps: