diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml index 4fdc1bcba..f3b992387 100644 --- a/.github/workflows/ci-checks.yml +++ b/.github/workflows/ci-checks.yml @@ -3,6 +3,9 @@ name: Checks on: pull_request: +permissions: + contents: read + jobs: security: name: Security diff --git a/.github/workflows/ci-oss.yml b/.github/workflows/ci-oss.yml index f6f490f34..ea007b567 100644 --- a/.github/workflows/ci-oss.yml +++ b/.github/workflows/ci-oss.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize] +permissions: + contents: read + jobs: test: if: github.event.pull_request.head.repo.full_name != github.repository diff --git a/.github/workflows/ci-saas.yml b/.github/workflows/ci-saas.yml index f1d8875b4..aa98a8e93 100644 --- a/.github/workflows/ci-saas.yml +++ b/.github/workflows/ci-saas.yml @@ -3,6 +3,9 @@ name: CI (SaaS) on: push: +permissions: + contents: read + jobs: test_oss: name: Test (OSS) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8b5925a13..e62118357 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,9 @@ on: GH_TOKEN: required: false +permissions: + contents: read + jobs: test: name: Tests (${{ matrix.mode }})