ci(security): reduce workflows permissions (#355)

Set by default the permission to read-all in all the workflows and add the proper permissions for the following workflows: * CI * release-please * Release Publish Artifacts closes #352 Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
2026-01-11 13:23:09 +01:00 · 2025-05-29 16:08:30 +02:00 · 2025-05-29 16:08:30 +02:00 · 9640fde14e
commit 9640fde14e
parent 016d7ff178
4 changed files with 17 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -4,9 +4,14 @@ on:
  pull_request:
  workflow_dispatch:
 permissions: read-all
 jobs:
  ci:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
    steps:
      - name: Cleanup Disk
        uses: jlumbroso/free-disk-space@v1.3.1
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@ -16,6 +16,8 @@ concurrency:
  group: "pages"
  cancel-in-progress: false
 permissions: read-all
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@ -5,9 +5,14 @@ on:
    branches:
      - main
 permissions: read-all
 jobs:
  release-please:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      # TODO: googleapis/release-please-action cannot sign commits yet.
      #   We'll use the cli until there's a fix for
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -3,9 +3,14 @@ on:
  release:
    types: [published]
 permissions: read-all
 jobs:
  release-publish-artifacts:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4