chore: update workflow permissions (#15349)

matifali · web-flow · commit 3a5a42ffa985 · 2024-11-04T11:09:40.000+05:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -9,16 +9,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  actions: none
-  checks: none
   contents: read
-  deployments: none
-  issues: none
-  packages: write
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
 
 # Cancel in-progress runs for pull requests when developers push
 # additional changes
@@ -821,6 +812,8 @@ jobs:
     needs: changes
     if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    permissions:
+      packages: write # Needed to push images to ghcr.io
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     outputs:
diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml
@@ -16,6 +16,9 @@ on:
       # For jobs that don't run on draft PRs.
       - ready_for_review
 
+permissions:
+  contents: read
+
 # Only run one instance per PR to ensure in-order execution.
 concurrency: pr-${{ github.ref }}
 
diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml
@@ -8,6 +8,9 @@ on:
         description: "PR number"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: "ubuntu-latest"
