build: harden workflow permissions

Signed-off-by: Alex <[email protected]>
mesonbuild · Dec 1, 2022 · 9074ad9 · 9074ad9
1 parent fae24d8
commit 9074ad9
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml
@@ -18,6 +18,9 @@ on:
       - ".github/workflows/cygwin.yml"
       - "run*tests.py"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest

diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
@@ -23,6 +23,9 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # do not run the weekly scheduled job in a fork

diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -19,6 +19,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: write # for release creation (svenstaro/upload-release-action)
+
 # This job is copy/paster into wrapdb CI, please update it there when doing any
 # change here.
 jobs: