Merge pull request #966 from bastelfreak/releae

bastelfreak · web-flow · commit 57ff47b96c91 · 2025-05-29T20:50:47.000+02:00
CI jobs: Add explicit token permissions
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   unit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
@@ -7,6 +7,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read
+
 env:
   GIT_AUTHOR_NAME: pccibot
   GIT_AUTHOR_EMAIL: 12855858+pccibot@users.noreply.github.com
diff --git a/moduleroot/.github/workflows/ci.yml.erb b/moduleroot/.github/workflows/ci.yml.erb
@@ -17,6 +17,9 @@ concurrency:
   group: ${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   puppet:
     name: Puppet
diff --git a/moduleroot/.github/workflows/labeler.yml.erb b/moduleroot/.github/workflows/labeler.yml.erb
@@ -8,6 +8,10 @@ name: "Pull Request Labeler"
 on:
   pull_request_target: {}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labeler:
     permissions:
diff --git a/moduleroot/.github/workflows/prepare_release.yml.erb b/moduleroot/.github/workflows/prepare_release.yml.erb
@@ -11,6 +11,10 @@ on:
         description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)'
         required: false
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release_prep:
     uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3'
diff --git a/moduleroot/.github/workflows/release.yml.erb b/moduleroot/.github/workflows/release.yml.erb
@@ -10,6 +10,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: Release
