Use minimal permissions for CI jobs (#885)

newpavlov · web-flow · commit 13385f64b2d3 · 2023-04-03T19:01:58.000Z
diff --git a/.github/workflows/blobby.yml b/.github/workflows/blobby.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: blobby
diff --git a/.github/workflows/block-buffer.yml b/.github/workflows/block-buffer.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: block-buffer
diff --git a/.github/workflows/block-padding.yml b/.github/workflows/block-padding.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: block-padding
diff --git a/.github/workflows/cmov.yml b/.github/workflows/cmov.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: cmov
diff --git a/.github/workflows/cpufeatures.yml b/.github/workflows/cpufeatures.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: cpufeatures
diff --git a/.github/workflows/dbl.yml b/.github/workflows/dbl.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: dbl
diff --git a/.github/workflows/fiat-constify.yml b/.github/workflows/fiat-constify.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: fiat-constify
diff --git a/.github/workflows/hex-literal.yml b/.github/workflows/hex-literal.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: hex-literal
diff --git a/.github/workflows/hybrid-array.yml b/.github/workflows/hybrid-array.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: hybrid-array
diff --git a/.github/workflows/inout.yml b/.github/workflows/inout.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: inout
diff --git a/.github/workflows/opaque-debug.yml b/.github/workflows/opaque-debug.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: opaque-debug
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -1,4 +1,5 @@
 name: Security Audit
+
 on:
   pull_request:
     paths: Cargo.lock
diff --git a/.github/workflows/workspace.yml b/.github/workflows/workspace.yml
@@ -9,6 +9,9 @@ on:
     paths-ignore:
       - README.md
 
+permissions:
+  contents: read
+
 jobs:
   clippy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/zeroize.yml b/.github/workflows/zeroize.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: zeroize

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`name: Security Audit`
	`2`	`+`
`2`	`3`	`on:`
`3`	`4`	`pull_request:`
`4`	`5`	`paths: Cargo.lock`