reduced permissions of GitHub actions (#4403)

firewave · web-flow · commit cf1271889a61 · 2022-08-26T23:25:07.000+02:00
diff --git a/.github/workflows/CI-cygwin.yml b/.github/workflows/CI-cygwin.yml
@@ -6,6 +6,9 @@ name: CI-cygwin
 
 on: [push,pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: cmd
diff --git a/.github/workflows/CI-mingw.yml b/.github/workflows/CI-mingw.yml
@@ -6,6 +6,9 @@ name: CI-mingw
 
 on: [push,pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: cmd
diff --git a/.github/workflows/CI-unixish-docker.yml b/.github/workflows/CI-unixish-docker.yml
@@ -4,6 +4,9 @@ name: CI-unixish-docker
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml
@@ -4,6 +4,9 @@ name: CI-unixish
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/CI-windows.yml b/.github/workflows/CI-windows.yml
@@ -6,6 +6,9 @@ name: CI-windows
 
 on: [push,pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: cmd
diff --git a/.github/workflows/asan.yml b/.github/workflows/asan.yml
@@ -4,6 +4,9 @@ name: address sanitizer
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/buildman.yml b/.github/workflows/buildman.yml
@@ -2,6 +2,9 @@ name: Build manual
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   convert_via_pandoc:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
@@ -4,6 +4,9 @@ name: clang-tidy
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -2,6 +2,9 @@ name: "CodeQL"
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -4,6 +4,9 @@ name: Coverage
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -4,6 +4,9 @@ name: format
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml
@@ -4,6 +4,9 @@ name: include-what-you-use
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml
@@ -12,6 +12,9 @@ on:
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
+    permissions:
+      contents: read
+
 defaults:
   run:
     shell: cmd
diff --git a/.github/workflows/scriptcheck.yml b/.github/workflows/scriptcheck.yml
@@ -4,6 +4,9 @@ name: scriptcheck
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/selfcheck.yml b/.github/workflows/selfcheck.yml
@@ -4,6 +4,9 @@ name: selfcheck
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/tsan.yml b/.github/workflows/tsan.yml
@@ -4,6 +4,9 @@ name: thread sanitizer
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/ubsan.yml b/.github/workflows/ubsan.yml
@@ -4,6 +4,9 @@ name: undefined behaviour sanitizers
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
@@ -5,6 +5,9 @@ name: valgrind
 # on: [push, pull_request]
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
