diff --git a/.github/workflows/auto-branch-updater.yml b/.github/workflows/auto-branch-updater.yml index dc4a43fc34e..3f67388fd0c 100644 --- a/.github/workflows/auto-branch-updater.yml +++ b/.github/workflows/auto-branch-updater.yml @@ -22,6 +22,8 @@ jobs: env: _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com _BOT_NAME: bitwarden-devops-bot + permissions: + contents: write steps: - name: Setup id: setup diff --git a/.github/workflows/auto-reply-discussions.yml b/.github/workflows/auto-reply-discussions.yml index 8becc7471c5..83970ab3619 100644 --- a/.github/workflows/auto-reply-discussions.yml +++ b/.github/workflows/auto-reply-discussions.yml @@ -8,6 +8,9 @@ jobs: reply: name: Auto-reply runs-on: ubuntu-22.04 + permissions: + discussions: write + contents: read steps: - name: Get discussion label and template name diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml index 40ddfe7739f..12a771fd3c0 100644 --- a/.github/workflows/enforce-labels.yml +++ b/.github/workflows/enforce-labels.yml @@ -4,6 +4,9 @@ on: workflow_call: pull_request: types: [labeled, unlabeled, opened, edited, synchronize] +permissions: + contents: read + pull-requests: read jobs: enforce-label: name: EnforceLabel diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4fbef027c7c..4246d623f04 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -22,6 +22,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/locales-lint.yml b/.github/workflows/locales-lint.yml index 8c9447ea50f..0c8148d4c28 100644 --- a/.github/workflows/locales-lint.yml +++ b/.github/workflows/locales-lint.yml @@ -8,6 +8,9 @@ on: paths: - '**/messages.json' +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/release-browser.yml b/.github/workflows/release-browser.yml index 498f8748959..ac79287f84d 100644 --- a/.github/workflows/release-browser.yml +++ b/.github/workflows/release-browser.yml @@ -22,6 +22,8 @@ jobs: setup: name: Setup runs-on: ubuntu-22.04 + permissions: + contents: read outputs: release_version: ${{ steps.version.outputs.version }} steps: @@ -53,6 +55,8 @@ jobs: name: Locales Test runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -89,6 +93,8 @@ jobs: needs: - setup - locales-test + permissions: + contents: write steps: - name: Download latest Release build artifacts if: ${{ github.event.inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/release-web.yml b/.github/workflows/release-web.yml index 0301b814796..5a3c29d29fc 100644 --- a/.github/workflows/release-web.yml +++ b/.github/workflows/release-web.yml @@ -18,6 +18,8 @@ jobs: setup: name: Setup runs-on: ubuntu-22.04 + permissions: + contents: read outputs: release_version: ${{ steps.version.outputs.version }} tag_version: ${{ steps.version.outputs.tag }} @@ -50,6 +52,8 @@ jobs: runs-on: ubuntu-22.04 needs: - setup + permissions: + contents: write steps: - name: Download latest build artifacts if: ${{ github.event.inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index abb292f53f3..13acde2b0fc 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -8,6 +8,11 @@ jobs: stale: name: 'Check for stale issues and PRs' runs-on: ubuntu-22.04 + permissions: + actions: write + contents: read + issues: write + pull-requests: write steps: - name: 'Run stale action' uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0