fix(reuse): Restrict workflow to read permissions

Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · Jan 22, 2025 · ba51979 · ba51979
1 parent 6d69b03
commit ba51979
Show file tree

Hide file tree

Showing 15 changed files with 47 additions and 0 deletions.
diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml
@@ -21,6 +21,9 @@ on:
         type: number
         default: 1
 
+permissions:
+  contents: read
+
 jobs:
   repositories:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
@@ -10,6 +10,9 @@ name: Lint
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml
@@ -12,6 +12,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   build_and_publish:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml
@@ -24,6 +24,10 @@ env:
   # n.b. server will use head_ref, as we want to test the PR branch.
   BRANCH: ${{ github.base_ref || github.ref_name }}
 
+
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest-low

diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml
@@ -13,6 +13,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml
@@ -14,6 +14,9 @@ on:
     # At 2:30 on Sundays
     - cron: '30 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/pr-feedback.yml b/workflow-templates/pr-feedback.yml
@@ -15,6 +15,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pr-feedback:
     if: ${{ github.repository_owner == 'nextcloud' }}

diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest-low

diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/reuse.yml b/workflow-templates/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: '5 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest

diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: "5 2 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest