diff --git a/ci/gradle.yml b/ci/gradle.yml index 8e0d1e4..4642c75 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 3cd8f01..c50354e 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -15,6 +15,9 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest diff --git a/ci/python-publish.yml b/ci/python-publish.yml index f55528c..ec70354 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 01af5af..cbef5a2 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,10 +17,16 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index c50f268..1d72a9b 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 874f43b..0fbbf87 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3