fix: adds permissions to all workflows (#505)

reggi · web-flow · commit 1cb710e27700 · 2025-03-05T11:05:12.000-08:00
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
@@ -18,6 +18,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
diff --git a/.github/workflows/ci-test-workspace.yml b/.github/workflows/ci-test-workspace.yml
@@ -16,6 +16,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,6 +13,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -10,6 +10,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
@@ -19,6 +19,9 @@ on:
       PUBLISH_TOKEN:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish
diff --git a/lib/content/audit-yml.hbs b/lib/content/audit-yml.hbs
@@ -6,6 +6,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     {{> jobYml jobName="Audit Dependencies" jobDepFlags="--package-lock" }}
diff --git a/lib/content/ci-release-yml.hbs b/lib/content/ci-release-yml.hbs
@@ -17,6 +17,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     {{> jobYml
diff --git a/lib/content/ci-yml.hbs b/lib/content/ci-yml.hbs
@@ -3,6 +3,9 @@ name: CI {{~#if isWorkspace}} - {{ pkgName }}{{/if}}
 on:
   {{> onCiYml }}
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     {{> jobYml jobName="Lint" }}
diff --git a/lib/content/codeql-analysis-yml.hbs b/lib/content/codeql-analysis-yml.hbs
@@ -15,6 +15,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/lib/content/pull-request-yml.hbs b/lib/content/pull-request-yml.hbs
@@ -8,6 +8,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  
 jobs:
   commitlint:
     {{> jobYml jobName="Lint Commits" jobCheckout=(obj fetch-depth=0) }}
diff --git a/lib/content/release-integration-yml.hbs b/lib/content/release-integration-yml.hbs
@@ -19,6 +19,9 @@ on:
         required: true
     {{/if}} 
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     {{> jobReleaseIntegrationYml }}
diff --git a/tap-snapshots/test/apply/source-snapshots.js.test.cjs b/tap-snapshots/test/apply/source-snapshots.js.test.cjs
@@ -356,6 +356,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
@@ -410,6 +413,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
@@ -546,6 +553,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -651,6 +661,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -813,6 +826,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
@@ -872,6 +888,9 @@ on:
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Check Publish
@@ -1797,6 +1816,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
@@ -1851,6 +1873,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -1957,6 +1982,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -2063,6 +2091,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
@@ -2205,6 +2237,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -2310,6 +2345,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -2472,6 +2510,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
@@ -2531,6 +2572,9 @@ on:
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Check Publish
@@ -3526,6 +3570,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -3632,6 +3679,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -3738,6 +3788,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
@@ -3996,6 +4050,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
@@ -4055,6 +4112,9 @@ on:
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Check Publish
diff --git a/tap-snapshots/test/check/diff-snapshots.js.test.cjs b/tap-snapshots/test/check/diff-snapshots.js.test.cjs
@@ -99,23 +99,23 @@ The repo file audit.yml needs to be updated:
   [@npmcli/template-oss ERROR] There was an erroring getting the target file
   [@npmcli/template-oss ERROR] Error: {{ROOT}}/.tap/fixtures/test-check-diff-snapshots.js-update-and-remove-errors/.github/workflows/audit.yml
   
-  YAMLParseError: Implicit keys need to be on a single line at line 42, column 1:
+  YAMLParseError: Implicit keys need to be on a single line at line 45, column 1:
   
           run: npm audit --audit-level=none
   >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
   ^
   
-  YAMLParseError: Block scalar header includes extra characters: >>>>I at line 42, column 2:
+  YAMLParseError: Block scalar header includes extra characters: >>>>I at line 45, column 2:
   
   >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
    ^
   
-  YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 42, column 7:
+  YAMLParseError: Not a YAML token: HOPE THIS IS NOT VALID YAML<<<<<<<<<<< at line 45, column 7:
   
   >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   
-  YAMLParseError: Implicit map keys need to be followed by map values at line 42, column 1:
+  YAMLParseError: Implicit map keys need to be followed by map values at line 45, column 1:
   
           run: npm audit --audit-level=none
   >>>>I HOPE THIS IS NOT VALID YAML<<<<<<<<<<<
@@ -134,6 +134,9 @@ The repo file audit.yml needs to be updated:
       # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
       - cron: "0 8 * * 1"
   
+  permissions:
+    contents: read
+  
   jobs:
     audit:
       name: Audit Dependencies
@@ -175,7 +178,7 @@ The repo file ci.yml needs to be updated:
 
   .github/workflows/ci.yml
   ========================================
-  @@ -97,4 +97,24 @@
+  @@ -100,4 +100,24 @@
            shell: \${{ matrix.platform.shell }}
        steps:
          - name: Checkout
