chore: Add explicit permissions to GH Actions jobs

clareliguori · clareliguori · commit fa151816b858 · 2025-04-21T16:54:20.000-07:00
diff --git a/.github/workflows/cdk-checks.yml b/.github/workflows/cdk-checks.yml
@@ -7,6 +7,8 @@ jobs:
   check_time_server:
     name: Check Python-based Time Server
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
@@ -41,6 +43,8 @@ jobs:
   check_weather_alerts_server:
     name: Check Typescript-based Weather Alerts Server
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/check-uv-lock.yml b/.github/workflows/check-uv-lock.yml
@@ -14,6 +14,8 @@ jobs:
   check-lock:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -12,6 +12,8 @@ jobs:
     name: Semantic Pull Request
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml
@@ -7,6 +7,8 @@ jobs:
   check_python:
     name: Check Python library
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,6 +9,8 @@ jobs:
   determine_release:
     name: "Determine if release is needed"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     outputs:
       pending_version_number: ${{ steps.versiondetails.outputs.pendingversion }}
@@ -91,6 +93,8 @@ jobs:
     name: "Run unit tests"
     needs: determine_release
     if: needs.determine_release.outputs.pending_version_available == 'true'
+    permissions:
+      contents: read
     timeout-minutes: 15
     uses: ./.github/workflows/unit-tests.yml
 
diff --git a/.github/workflows/typescript-checks.yml b/.github/workflows/typescript-checks.yml
@@ -7,6 +7,8 @@ jobs:
   check_typescript:
     name: Check Typescript library
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
@@ -37,6 +39,8 @@ jobs:
   check_typescript_chatbot:
     name: Check Typescript chatbot
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -10,10 +10,16 @@ on:
 jobs:
   python:
     timeout-minutes: 15
+    permissions:
+      contents: read
     uses: ./.github/workflows/python-checks.yml
   typescript:
     timeout-minutes: 15
+    permissions:
+      contents: read
     uses: ./.github/workflows/typescript-checks.yml
   cdk:
     timeout-minutes: 15
+    permissions:
+      contents: read
     uses: ./.github/workflows/cdk-checks.yml
