diff --git a/.github/workflows/approve-readme.yaml b/.github/workflows/approve-readme.yaml index 59f00b8eb..7df783663 100644 --- a/.github/workflows/approve-readme.yaml +++ b/.github/workflows/approve-readme.yaml @@ -14,6 +14,9 @@ # Github action job to test core java library features on # downstream client libraries before they are released. on: + +permissions: + contents: read pull_request: name: auto-merge-readme jobs: diff --git a/.github/workflows/auto-release.yaml b/.github/workflows/auto-release.yaml index 18d92e5a2..d4e23a8e8 100644 --- a/.github/workflows/auto-release.yaml +++ b/.github/workflows/auto-release.yaml @@ -14,6 +14,9 @@ # Github action job to test core java library features on # downstream client libraries before they are released. on: + +permissions: + contents: read pull_request: name: auto-release jobs: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c1a809fe1..413aeb523 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,4 +1,7 @@ on: + +permissions: + contents: read push: branches: - main diff --git a/.github/workflows/downstream.yaml b/.github/workflows/downstream.yaml index 910e73a59..4b9078411 100644 --- a/.github/workflows/downstream.yaml +++ b/.github/workflows/downstream.yaml @@ -1,4 +1,7 @@ on: + +permissions: + contents: read pull_request: types: [ labeled ] branches: diff --git a/.github/workflows/renovate_config_check.yaml b/.github/workflows/renovate_config_check.yaml index d3467e9d2..62cd07959 100644 --- a/.github/workflows/renovate_config_check.yaml +++ b/.github/workflows/renovate_config_check.yaml @@ -1,5 +1,8 @@ name: Renovate Bot Config Validation +permissions: + contents: read + on: pull_request: paths: @@ -12,10 +15,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20'