Default github workflow permission read-all

MrAlias · MrAlias · commit 160ea98b497f · 2025-02-05T12:03:34.000-08:00
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -5,6 +5,9 @@ on:
       - main
   workflow_dispatch:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   DEFAULT_GO_VERSION: "~1.23.0"
 jobs:
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -10,6 +10,10 @@ on:
     types: [opened, synchronize, reopened, labeled, unlabeled]
     branches:
       - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,8 @@ env:
   # explicitly test our code for these versions so keeping this at prior
   # versions does not add value.
   DEFAULT_GO_VERSION: "~1.23.0"
+# Declare default permissions as read only.
+permissions: read-all
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -17,6 +17,9 @@ on:
     branches: [ main ]
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml
@@ -4,6 +4,8 @@ on:
     branches:
       - main
   pull_request:
+# Declare default permissions as read only.
+permissions: read-all
 jobs:
   codespell:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/links-fail-fast.yml b/.github/workflows/links-fail-fast.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   check-links:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
@@ -7,6 +7,9 @@ on:
   # Everyday at 9:00 AM.
   - cron: "0 9 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   check-links:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-fail-fast.yml b/.github/workflows/markdown-fail-fast.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   changedfiles:
     name: changed files
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
@@ -7,6 +7,9 @@ on:
   # Everyday at 9:00 AM.
   - cron: "0 9 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   lint-markdown:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/protect-released-changelog.yml b/.github/workflows/protect-released-changelog.yml
@@ -7,6 +7,10 @@ name: Protect released changelog
 on:
   pull_request:
     types: [opened, synchronize, reopened, labeled, unlabeled]
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   protect-released-changelog:
     runs-on: ubuntu-latest
