diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml index dde0a1a3f..3cd501930 100644 --- a/.github/workflows/code-scanning-pack-gen.yml +++ b/.github/workflows/code-scanning-pack-gen.yml @@ -1,4 +1,6 @@ name: Code Scanning Query Pack Generation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml index 0f9aadb8b..c9a557c76 100644 --- a/.github/workflows/codeql_unit_tests.yml +++ b/.github/workflows/codeql_unit_tests.yml @@ -1,4 +1,6 @@ name: CodeQL Unit Testing +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml index 499069451..d6520c8e8 100644 --- a/.github/workflows/dispatch-matrix-test-on-comment.yml +++ b/.github/workflows/dispatch-matrix-test-on-comment.yml @@ -1,4 +1,8 @@ name: 🤖 Run Matrix Check (On Comment) +permissions: + contents: read + actions: write + pull-requests: write on: issue_comment: diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml index 25e293fa6..84ffa3617 100644 --- a/.github/workflows/dispatch-release-performance-check.yml +++ b/.github/workflows/dispatch-release-performance-check.yml @@ -1,4 +1,8 @@ name: 🏁 Run Release Performance Check +permissions: + contents: read + actions: write + pull-requests: write on: issue_comment: diff --git a/.github/workflows/extra-rule-validation.yml b/.github/workflows/extra-rule-validation.yml index 7fef7818a..6a49e9d26 100644 --- a/.github/workflows/extra-rule-validation.yml +++ b/.github/workflows/extra-rule-validation.yml @@ -1,4 +1,6 @@ name: ⚙️ Extra Rule Validation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/finalize-release.yml b/.github/workflows/finalize-release.yml index c6ebc8f3d..48e5fe6a1 100644 --- a/.github/workflows/finalize-release.yml +++ b/.github/workflows/finalize-release.yml @@ -1,4 +1,9 @@ name: Finalize Release +permissions: + contents: write + pull-requests: write + actions: write + on: pull_request: types: diff --git a/.github/workflows/generate-html-docs.yml b/.github/workflows/generate-html-docs.yml index a28bfd790..c524ad0b8 100644 --- a/.github/workflows/generate-html-docs.yml +++ b/.github/workflows/generate-html-docs.yml @@ -1,4 +1,6 @@ name: Generate HTML documentation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/standard_library_upgrade_tests.yml b/.github/workflows/standard_library_upgrade_tests.yml index 277082d3a..1ec72be8a 100644 --- a/.github/workflows/standard_library_upgrade_tests.yml +++ b/.github/workflows/standard_library_upgrade_tests.yml @@ -1,4 +1,6 @@ name: CodeQL Standard Library Upgrade tests +permissions: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file is changed on: diff --git a/.github/workflows/tooling-unit-tests.yml b/.github/workflows/tooling-unit-tests.yml index 00a36d5c6..bcb754d68 100644 --- a/.github/workflows/tooling-unit-tests.yml +++ b/.github/workflows/tooling-unit-tests.yml @@ -1,4 +1,6 @@ name: 🧰 Tooling unit tests +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/update-check-run.yml b/.github/workflows/update-check-run.yml index 225c81fa2..49228c3f6 100644 --- a/.github/workflows/update-check-run.yml +++ b/.github/workflows/update-check-run.yml @@ -1,4 +1,6 @@ name: Update check run +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml index 6baf99279..b34abe191 100644 --- a/.github/workflows/update-release.yml +++ b/.github/workflows/update-release.yml @@ -1,4 +1,8 @@ name: Update Release +permissions: + contents: write + pull-requests: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/upgrade_codeql_dependencies.yml b/.github/workflows/upgrade_codeql_dependencies.yml index de187e0e9..8ae3555e8 100644 --- a/.github/workflows/upgrade_codeql_dependencies.yml +++ b/.github/workflows/upgrade_codeql_dependencies.yml @@ -1,4 +1,7 @@ name: Upgrade supported CodeQL configuration +permissions: + contents: write + pull-requests: write on: workflow_dispatch: diff --git a/.github/workflows/validate-package-files.yml b/.github/workflows/validate-package-files.yml index 4e0a51a3b..81d9a16f3 100644 --- a/.github/workflows/validate-package-files.yml +++ b/.github/workflows/validate-package-files.yml @@ -1,4 +1,6 @@ name: Validate Package Files +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-formatting.yml b/.github/workflows/validate-query-formatting.yml index ed7850529..a9eee4844 100644 --- a/.github/workflows/validate-query-formatting.yml +++ b/.github/workflows/validate-query-formatting.yml @@ -1,4 +1,6 @@ name: "Validate Query Formatting" +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-help.yml b/.github/workflows/validate-query-help.yml index 3ce97d8e9..e16d6efa1 100644 --- a/.github/workflows/validate-query-help.yml +++ b/.github/workflows/validate-query-help.yml @@ -1,4 +1,6 @@ name: Validate Query Help Files +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-test-case-formatting.yml b/.github/workflows/validate-query-test-case-formatting.yml index 1777cacdd..e466a1aed 100644 --- a/.github/workflows/validate-query-test-case-formatting.yml +++ b/.github/workflows/validate-query-test-case-formatting.yml @@ -1,4 +1,6 @@ name: Validate Query Test Case Formatting +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml index 4900f1117..ee7df317c 100644 --- a/.github/workflows/verify-standard-library-dependencies.yml +++ b/.github/workflows/verify-standard-library-dependencies.yml @@ -1,4 +1,6 @@ name: Verify Standard Library Dependencies +permissions: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed on: