Add 'permissions: read-all' to multiple workflow files for consistency

frasermolyneux · frasermolyneux · commit dd4449b8d2d1 · 2026-02-05T20:52:51.000Z
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -8,6 +8,8 @@ on:
       - "hotfix/**"
 
 
+permissions: read-all
+
 jobs:
   build-and-test:
     permissions:
@@ -18,4 +20,4 @@ jobs:
         with:
           dotnet-project: "XtremeIdiots.Portal.Web"
           dotnet-version: 9.0.x
-          src-folder: "src"
+          src-folder: "src"
diff --git a/.github/workflows/codequality.yml b/.github/workflows/codequality.yml
@@ -12,6 +12,8 @@ on:
     - cron: "0 3 * * 1"
 
   
+permissions: read-all
+
 jobs:
   quality:
     permissions:
@@ -47,4 +49,4 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -11,6 +11,8 @@ on:
     paths:
       - .github/workflows/copilot-setup-steps.yml
 
+permissions: read-all
+
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
@@ -31,4 +33,4 @@ jobs:
       - name: Setup .NET
         uses: actions/setup-dotnet@v5
         with:
-            dotnet-version: "9.0.x"
+            dotnet-version: "9.0.x"
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -5,6 +5,8 @@ on:
       - main
 
 
+permissions: read-all
+
 jobs:
   dependabot:
     permissions:
@@ -22,4 +24,4 @@ jobs:
       run: gh pr merge --auto --merge "$PR_URL"
       env:
         PR_URL: ${{github.event.pull_request.html_url}}
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -4,6 +4,8 @@ on:
   workflow_dispatch:
 
 
+permissions: read-all
+
 jobs:
   build-and-test:
     permissions:
@@ -70,4 +72,4 @@ jobs:
           resource-group-name: ${{ needs.terraform-plan-and-apply-dev.outputs.web_app_resource_group }}
           AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/deploy-prd.yml b/.github/workflows/deploy-prd.yml
@@ -9,6 +9,8 @@ on:
     - cron: "0 3 * * 4"
 
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}
 
@@ -133,4 +135,4 @@ jobs:
           resource-group-name: ${{ needs.terraform-plan-and-apply-prd.outputs.web_app_resource_group }}
           AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml
@@ -14,6 +14,8 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
 
 
+permissions: read-all
+
 jobs:
   build-and-test:
     permissions:
@@ -75,4 +77,4 @@ jobs:
           terraform-backend-file: "backends/prd.backend.hcl"
           AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
