From b3b1fa70dc11f18cf9b8b4bc16c0b42ec529d673 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Tue, 12 Mar 2024 17:54:10 +0100 Subject: [PATCH] security: add permissions block to workflows (#80) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Details ⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️ We want to set the default permissions for workflows to read-only for contents. This is a security measure to prevent accidental changes to the repository. This change adds a top-level permissions block to all workflows in the .github/workflows directory. ```yaml permissions: contents: read ``` In some cases workflows might need more permissions than just `contents: read`. Please checkout this branch and add the necessary permissions to the workflows. If your workflow uses a Personal Access Token (PAT), we can still add the permissions block, but it will not have any effect. Merging this PR as is might cause workflows that need more permissions to fail. If there are any questions, please reach out to the @elastic/observablt-ci --- .github/workflows/add-issues-to-ingest-board.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/add-issues-to-ingest-board.yml b/.github/workflows/add-issues-to-ingest-board.yml index 499fa012ef..8d063114d9 100644 --- a/.github/workflows/add-issues-to-ingest-board.yml +++ b/.github/workflows/add-issues-to-ingest-board.yml @@ -13,6 +13,9 @@ env: AREA_FIELD_ID: 'PVTSSF_lADOAGc3Zs4AEzn4zgEgZSo' ELASTIC_AGENT_OPTION_ID: 'c1e1a30a' +permissions: + contents: read + jobs: add_to_ingest_project: runs-on: ubuntu-latest