From 9ab7e54c93d882a9b21a92edef471bc201f725b1 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 4 Nov 2024 10:50:21 +0500 Subject: [PATCH] chore: update permissions in ci.yaml Signed-off-by: Muhammad Atif Ali --- .github/workflows/ci.yaml | 11 ++--------- .github/workflows/contrib.yaml | 3 +++ .github/workflows/pr-cleanup.yaml | 3 +++ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e6d105d8890f4..7773ac759e0d9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,16 +9,7 @@ on: workflow_dispatch: permissions: - actions: none - checks: none contents: read - deployments: none - issues: none - packages: write - pull-requests: none - repository-projects: none - security-events: none - statuses: none # Cancel in-progress runs for pull requests when developers push # additional changes @@ -821,6 +812,8 @@ jobs: needs: changes if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} + permissions: + packages: write # Needed to push images to ghcr.io env: DOCKER_CLI_EXPERIMENTAL: "enabled" outputs: diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index 3389042cea18c..cd86a2d0309d9 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -16,6 +16,9 @@ on: # For jobs that don't run on draft PRs. - ready_for_review +permissions: + contents: read + # Only run one instance per PR to ensure in-order execution. concurrency: pr-${{ github.ref }} diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml index f5cee03a4c6c4..2a97eb29a67b7 100644 --- a/.github/workflows/pr-cleanup.yaml +++ b/.github/workflows/pr-cleanup.yaml @@ -8,6 +8,9 @@ on: description: "PR number" required: true +permissions: + contents: read + jobs: cleanup: runs-on: "ubuntu-latest"