[BRE-848] Adding Workflow Permissions (#15250)

2025-12-11 05:43:41 +00:00 · 2025-06-20 12:34:18 -04:00
parent 750cfeea72
commit a4ef61e1fc
8 changed files with 29 additions and 0 deletions
--- a/.github/workflows/auto-branch-updater.yml
+++ b/.github/workflows/auto-branch-updater.yml
@@ -22,6 +22,8 @@ jobs:
    env:
      _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com
      _BOT_NAME: bitwarden-devops-bot
+    permissions:
+      contents: write
    steps:
      - name: Setup
        id: setup
--- a/.github/workflows/auto-reply-discussions.yml
+++ b/.github/workflows/auto-reply-discussions.yml
@@ -8,6 +8,9 @@ jobs:
  reply:
    name: Auto-reply
    runs-on: ubuntu-22.04
+    permissions:
+      discussions: write
+      contents: read

    steps:
      - name: Get discussion label and template name
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -4,6 +4,9 @@ on:
  workflow_call:
  pull_request:
    types: [labeled, unlabeled, opened, edited, synchronize]
+permissions:
+  contents: read
+  pull-requests: read
 jobs:
  enforce-label:
    name: EnforceLabel
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,6 +22,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  lint:
    name: Lint
--- a/.github/workflows/locales-lint.yml
+++ b/.github/workflows/locales-lint.yml
@@ -8,6 +8,9 @@ on:
    paths:
      - '**/messages.json'

+permissions:
+  contents: read
+
 jobs:
  lint:
    name: Lint
--- a/.github/workflows/release-browser.yml
+++ b/.github/workflows/release-browser.yml
@@ -22,6 +22,8 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
    outputs:
      release_version: ${{ steps.version.outputs.version }}
    steps:
@@ -53,6 +55,8 @@ jobs:
    name: Locales Test
    runs-on: ubuntu-22.04
    needs: setup
+    permissions:
+      contents: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -89,6 +93,8 @@ jobs:
    needs:
      - setup
      - locales-test
+    permissions:
+      contents: write
    steps:
      - name: Download latest Release build artifacts
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
--- a/.github/workflows/release-web.yml
+++ b/.github/workflows/release-web.yml
@@ -18,6 +18,8 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
    outputs:
      release_version: ${{ steps.version.outputs.version }}
      tag_version: ${{ steps.version.outputs.tag }}
@@ -50,6 +52,8 @@ jobs:
    runs-on: ubuntu-22.04
    needs:
      - setup
+    permissions:
+      contents: write
    steps:
      - name: Download latest build artifacts
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -8,6 +8,11 @@ jobs:
  stale:
    name: 'Check for stale issues and PRs'
    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      contents: read
+      issues: write
+      pull-requests: write
    steps:
      - name: 'Run stale action'
        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0