Set token to explicit content read permissions

davidcassany · davidcassany · commit 3d657c95aa03 · 2024-07-08T19:09:07.000+02:00
Signed-off-by: David Cassany &lt;dcassany@suse.com&gt;
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,6 +21,8 @@ on:
 
 jobs:
   detect:
+    permissions:
+      content: read
     runs-on: ubuntu-latest
     outputs:
       flavor: ${{ steps.set-matrix.outputs.flavor }}
@@ -41,6 +43,7 @@ jobs:
     needs:
       - detect
     permissions:
+      content: read
       packages: write
     runs-on: ubuntu-latest
     env:
@@ -63,6 +66,8 @@ jobs:
           make DOCKER_ARGS=--push build
 
   build-matrix:
+    permissions:
+      content: read
     needs:
       - detect
       - build-toolkit
diff --git a/.github/workflows/build_and_test_arm.yaml b/.github/workflows/build_and_test_arm.yaml
@@ -17,6 +17,8 @@ concurrency:
 jobs:
 
   build-iso:
+    permissions:
+      content: read
     needs: detect
     runs-on: [self-hosted, arm64]
     env:
@@ -57,6 +59,8 @@ jobs:
           enableCrossOsArchive: true
   
   build-disk:
+    permissions:
+      content: read
     needs: detect
     runs-on: [self-hosted, arm64]
     env:
@@ -101,6 +105,8 @@ jobs:
           enableCrossOsArchive: true
 
   tests-matrix:
+    permissions:
+      content: read
     needs: 
       - build-disk
       - detect
@@ -160,6 +166,8 @@ jobs:
           make test-clean
 
   test-installer:
+    permissions:
+      content: read
     needs: 
       - build-iso
       - detect
diff --git a/.github/workflows/build_and_test_x86.yaml b/.github/workflows/build_and_test_x86.yaml
@@ -15,6 +15,7 @@ jobs:
   build-os:
     permissions:
       packages: write
+      content: read
     runs-on: ubuntu-latest
     env:
       FLAVOR: ${{ inputs.flavor }}
@@ -40,6 +41,8 @@ jobs:
           make ARCH=${{ env.ARCH }} DOCKER_ARGS=--push build-os
 
   build-iso:
+    permissions:
+      content: read
     needs: 
       - build-os
     runs-on: ubuntu-latest
@@ -82,6 +85,8 @@ jobs:
           enableCrossOsArchive: true
 
   build-disk:
+    permissions:
+      content: read
     needs:
       - build-os
     runs-on: ubuntu-latest
@@ -131,6 +136,8 @@ jobs:
           enableCrossOsArchive: true
 
   detect:
+    permissions:
+      content: read
     runs-on: ubuntu-latest
     outputs:
       tests: ${{ steps.detect.outputs.tests }}
@@ -161,6 +168,8 @@ jobs:
           echo "toolkit=ghcr.io/rancher/elemental-toolkit/elemental-cli:${VERSION}" >> $GITHUB_OUTPUT
 
   tests-matrix:
+    permissions:
+      content: read
     needs:
       - build-disk
       - detect
@@ -234,6 +243,8 @@ jobs:
           make test-clean
 
   test-installer:
+    permissions:
+      content: read
     needs:
       - build-iso
       - detect
diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml
@@ -16,6 +16,8 @@ on:
       - main
 jobs:
   build:
+    permissions:
+      content: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
diff --git a/.github/workflows/docs-publish.yaml b/.github/workflows/docs-publish.yaml
@@ -10,6 +10,8 @@ on:
    - cron: 0 20 * * *
 jobs:
   build-deploy:
+    permissions:
+      content: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
