From ebbcb0881017b46a5410d8834cf1bb9c438db0f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolf-Martell=20Montw=C3=A9?= Date: Thu, 9 Jan 2025 18:11:24 +0100 Subject: [PATCH] Fix GH Action token permissions --- .github/workflows/android.yml | 3 +++ .github/workflows/codeql.yml | 3 +++ .github/workflows/daily_builds.yml | 3 +++ .github/workflows/fluidscan.yml | 3 +++ .github/workflows/gradle-cache.yml | 3 +++ .github/workflows/markdown.yml | 3 +++ .github/workflows/needinfo-remove.yml | 3 +++ .github/workflows/needinfo-stale.yml | 3 +++ .github/workflows/scorecard.yml | 3 +++ .github/workflows/shippable_builds.yml | 3 +++ .github/workflows/uplift-merges.yml | 3 +++ .github/workflows/validate-gradle.yml | 3 +++ .github/workflows/validate-workflows.yml | 3 +++ 13 files changed, 39 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index db784d1781d..2ff7f131493 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -12,6 +12,9 @@ on: - 'LICENSE' - 'NOTICE' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d0ff59e204f..30779fa57ec 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,6 +5,9 @@ on: - cron: '0 10 * * 1' workflow_dispatch: +permissions: + contents: read + jobs: codeql-scan: diff --git a/.github/workflows/daily_builds.yml b/.github/workflows/daily_builds.yml index 0775c9435ad..bb85f4c5c73 100644 --- a/.github/workflows/daily_builds.yml +++ b/.github/workflows/daily_builds.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '8 20 * * *' +permissions: + contents: read + jobs: trigger_daily_build: if: ${{ github.repository_owner == 'thunderbird' }} diff --git a/.github/workflows/fluidscan.yml b/.github/workflows/fluidscan.yml index 7299ca1e578..2e6275c7c90 100644 --- a/.github/workflows/fluidscan.yml +++ b/.github/workflows/fluidscan.yml @@ -4,6 +4,9 @@ on: - cron: '0 10 * * 1' workflow_dispatch: +permissions: + contents: read + jobs: fluidattacks-scan: diff --git a/.github/workflows/gradle-cache.yml b/.github/workflows/gradle-cache.yml index a2d1cc82108..304f7627750 100644 --- a/.github/workflows/gradle-cache.yml +++ b/.github/workflows/gradle-cache.yml @@ -14,6 +14,9 @@ on: - 'LICENSE' - 'NOTICE' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml index 29b0bd5a806..ae8eb055c90 100644 --- a/.github/workflows/markdown.yml +++ b/.github/workflows/markdown.yml @@ -6,6 +6,9 @@ on: - '**.md' - '.github/workflows/markdown.yml' +permissions: + contents: read + jobs: markdown_quality: runs-on: ubuntu-latest diff --git a/.github/workflows/needinfo-remove.yml b/.github/workflows/needinfo-remove.yml index d691385d44a..a805ee3a95b 100644 --- a/.github/workflows/needinfo-remove.yml +++ b/.github/workflows/needinfo-remove.yml @@ -6,6 +6,9 @@ on: types: - created +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/needinfo-stale.yml b/.github/workflows/needinfo-stale.yml index c8b8e5582c2..35d13e0130d 100644 --- a/.github/workflows/needinfo-stale.yml +++ b/.github/workflows/needinfo-stale.yml @@ -6,6 +6,9 @@ on: - cron: "0 0 * * *" workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 247faed6216..dade6b7553b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,6 +15,9 @@ on: branches: [ "main" ] workflow_dispatch: +permissions: + contents: read + jobs: analysis: name: Scorecard analysis diff --git a/.github/workflows/shippable_builds.yml b/.github/workflows/shippable_builds.yml index 62ea7506abe..b3a2dba9ae7 100644 --- a/.github/workflows/shippable_builds.yml +++ b/.github/workflows/shippable_builds.yml @@ -29,6 +29,9 @@ on: type: boolean description: Upload to FTP stage instead of prod +permissions: + contents: read + jobs: get_environment: name: Determine Release Environment diff --git a/.github/workflows/uplift-merges.yml b/.github/workflows/uplift-merges.yml index 29769c32aad..e9ab200f34a 100644 --- a/.github/workflows/uplift-merges.yml +++ b/.github/workflows/uplift-merges.yml @@ -8,6 +8,9 @@ on: description: Dry run default: true +permissions: + contents: read + jobs: uplift: name: Uplift diff --git a/.github/workflows/validate-gradle.yml b/.github/workflows/validate-gradle.yml index eb9a03c119d..d656529bc0c 100644 --- a/.github/workflows/validate-gradle.yml +++ b/.github/workflows/validate-gradle.yml @@ -4,6 +4,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: validate-gradle: name: "validate-gradle" diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml index 1b344bd3123..96b2c206c85 100644 --- a/.github/workflows/validate-workflows.yml +++ b/.github/workflows/validate-workflows.yml @@ -14,6 +14,9 @@ on: description: Debug mode default: false +permissions: + contents: read + jobs: validate-workflows: runs-on: ubuntu-latest