[FAST_BUILD] add explicit permissions to all workflows (#2326)

mathbunnyru · web-flow · commit 53b1d144db49 · 2025-09-19T11:17:47.000+01:00
diff --git a/.github/workflows/contributed-recipes.yml b/.github/workflows/contributed-recipes.yml
@@ -30,6 +30,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   generate-matrix:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker-build-test-upload.yml b/.github/workflows/docker-build-test-upload.yml
@@ -38,6 +38,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   build-test-upload:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/docker-tag-push.yml b/.github/workflows/docker-tag-push.yml
@@ -26,6 +26,9 @@ on:
       REGISTRY_TOKEN:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tag-push:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker-wiki-update.yml b/.github/workflows/docker-wiki-update.yml
@@ -8,6 +8,9 @@ env:
 on:
   workflow_call:
 
+permissions:
+  contents: write
+
 jobs:
   wiki-update:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -61,6 +61,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   aarch64-foundation:
     uses: ./.github/workflows/docker-build-test-upload.yml
@@ -437,3 +440,5 @@ jobs:
     uses: ./.github/workflows/docker-wiki-update.yml
     needs: tag-push-fast
     if: contains(github.event.pull_request.title, '[FAST_BUILD]')
+    permissions:
+      contents: write
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run-hooks:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/registry-move.yml b/.github/workflows/registry-move.yml
@@ -15,6 +15,9 @@ on:
       - ".github/workflows/registry-move.yml"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   registry-move:
     # To be able to use the latest skopeo
diff --git a/.github/workflows/registry-overviews.yml b/.github/workflows/registry-overviews.yml
@@ -13,6 +13,9 @@ on:
       - "images/*/README.md"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-overview:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -38,6 +38,9 @@ on:
       - "tagging/taggers/tagger_interface.py"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     runs-on: ubuntu-24.04
