build: assign read permission to all actions without one

2026-04-22 20:06:18 +02:00 · 2025-06-18 00:17:58 +04:00
parent 2caac5bf4c
commit 2d2ebba40e
3 changed files with 16 additions and 0 deletions
@@ -16,11 +16,15 @@ jobs:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
+    permissions:
+      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
+    permissions:
+      contents: read

  security-scan:
    name: Security Vulnerability Scan
@@ -31,11 +31,15 @@ jobs:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
+    permissions:
+      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
+    permissions:
+      contents: read

  codeql:
    name: CodeQL
@@ -51,6 +55,8 @@ jobs:
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
+    permissions:
+      contents: read

  release:
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
@@ -30,11 +30,15 @@ jobs:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
+    permissions:
+      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
+    permissions:
+      contents: read

  codeql:
    name: CodeQL
@@ -50,6 +54,8 @@ jobs:
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
+    permissions:
+      contents: read

  rolling-release:
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]