ci: add explicit permissions to workflows to mitigate security concerns (#1392)

bowenli86 · web-flow · commit fa7582d7079a · 2025-05-23T12:28:45.000-07:00
**Motivation:**

add explicit permission to all core repo CIs, and address security
concerns and alerts

**Modifications:**

add explicit permission to all core repo CIs

**Result:**

workflows are safe now
diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, edited, synchronize]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   # triage:
   #   runs-on: protocol-x64-16core
diff --git a/.github/workflows/foundry-post-merge.yml b/.github/workflows/foundry-post-merge.yml
@@ -12,6 +12,9 @@ on:
       - 'foundry.toml'
       - '**/*.sol'
 
+permissions:
+  contents: read
+  pull-requests: read
 
 env:
   FOUNDRY_PROFILE: medium
diff --git a/.github/workflows/foundry.yml b/.github/workflows/foundry.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: read
 
 env:
   FOUNDRY_PROFILE: medium
diff --git a/.github/workflows/validate-deployment-scripts.yml b/.github/workflows/validate-deployment-scripts.yml
@@ -1,15 +1,15 @@
 name: Validate Deployment Scripts
 
-permissions:
-  contents: read
-
 on:
   workflow_dispatch:
   pull_request:
     paths:
       - 'script/**'
       - '.github/workflows/validate-deployment-scripts.yml'
 
+permissions:
+  contents: read
+  pull-requests: read
 
 jobs:
 
