👷 Add explicit least privilege permissions for each workflow

stevenbal · stevenbal · commit 752c010d7902 · 2026-03-24T10:04:07.000+01:00
diff --git a/.github/workflows/bin-check.yml b/.github/workflows/bin-check.yml
@@ -8,6 +8,10 @@ on:
   pull_request:
   workflow_dispatch:
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
+
 jobs:
   dump_data:
     name: Test dump_data.sh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
   workflow_dispatch:
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
+
 env:
   IMAGE_NAME: maykinmedia/objecttypes-api
 
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -7,6 +7,10 @@ on:
   pull_request:
   workflow_dispatch:
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
+
 jobs:
   open-api-workflow-code-quality:
     uses: maykinmedia/open-api-workflows/.github/workflows/code-quality.yml@v6
diff --git a/.github/workflows/oaf-check.yml b/.github/workflows/oaf-check.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: '0 7 * * 1'
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
 
 jobs:
   open-api-workflow-check-oas:
diff --git a/.github/workflows/oas.yml b/.github/workflows/oas.yml
@@ -10,6 +10,10 @@ on:
   pull_request:
   workflow_dispatch:
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
+
 jobs:
   oas:
     name: Checks
diff --git a/.github/workflows/quick_start.yml b/.github/workflows/quick_start.yml
@@ -9,6 +9,10 @@ on:
       - '**'
   workflow_dispatch:
 
+# least privilege as default, should be overridden per job if necessary
+permissions:
+  contents: read
+
 jobs:
   open-api-workflow-quick-start:
     uses: maykinmedia/open-api-workflows/.github/workflows/quick-start.yml@v6
