From 06f5684455d318864a5dba45c935d350b343500c Mon Sep 17 00:00:00 2001 From: Anton Belodedenko <2033996+ab77@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:00:46 -0800 Subject: [PATCH] Explicitly set GH_TOKEN permissions change-type: patch --- .github/workflows/flowzone.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index 2eb331d7..454aaa5a 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -9,6 +9,27 @@ on: types: [opened, synchronize, closed] branches: [main, master] +# Base permissions required by Flowzone +# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions +permissions: + actions: none + attestations: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + discussions: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + # Additional permissions needed by this repo, such as: + packages: write # Allow Flowzone to publish to ghcr.io + jobs: flowzone: name: Flowzone