Refine GitHub actions permissions

bclozel · bclozel · commit 76c145f9e75f · 2025-06-26T15:42:41.000+02:00
diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml
@@ -4,7 +4,7 @@ on:
     branches:
       - main
 permissions:
-  actions: write
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,17 +1,15 @@
 name: "CodeQL Advanced"
-
 on:
   push:
   pull_request:
   workflow_dispatch:
   schedule:
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
-    - cron: '0 5 * * *'
+    - cron: '45 0 * * 1'
 permissions: read-all
 jobs:
   codeql-analysis-call:
     permissions:
       actions: read
       contents: read
       security-events: write
-    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1
+    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@6e66995f7d29de1e4ff76e4f0def7a10163fe910
diff --git a/.github/workflows/delete-staged-release.yml b/.github/workflows/delete-staged-release.yml
@@ -5,6 +5,8 @@ on:
       build-version:
         description: 'Version of the build to delete'
         required: true
+permissions:
+  contents: read
 jobs:
   delete-staged-release:
     name: Delete Staged Release
diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml
@@ -4,6 +4,8 @@ on:
     tags:
       - v2.0.0-M[1-9]
       - v2.0.0-RC[1-9]
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - v2.0.[0-9]+
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/update-antora-ui-spring.yml b/.github/workflows/update-antora-ui-spring.yml
@@ -1,15 +1,12 @@
 name: Update Antora UI Spring
-
 on:
   schedule:
     - cron: '0 10 * * *' # Once per day at 10am UTC
   workflow_dispatch:
-
 permissions:
   pull-requests: write
   issues: write
   contents: write
-
 jobs:
   update-antora-ui-spring:
     runs-on: ubuntu-latest
