Merge pull request sbt#7023 from sashashura/patch-1

eed3si9n · web-flow · commit 87bbdd9f9bfd · 2022-10-02T04:42:01.000-04:00
GitHub Workflows security hardening
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml
@@ -3,8 +3,12 @@ name: Submit Dependency Graph
 on:
   push:
     branches: [1.7.x] # default branch of the project
+permissions: {}
 jobs:
   submit-graph:
+    permissions:
+      contents: write # to submit the dependency graph
+
     name: Submit Dependency Graph
     runs-on: ubuntu-latest # or windows-latest, or macOS-latest
     steps:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,6 +5,9 @@ on:
 #    # 08:00 UTC = 03:00 EST
 #    - cron:  '0 8 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   deploy:
     strategy:
