diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c09281f61b..ad4327c4ca2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,6 @@ name: "CI/CD Pipeline" +permissions: + contents: read on: push: branches-ignore: @@ -146,6 +148,10 @@ jobs: needs: [test, api-test] runs-on: ubuntu-latest if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' + permissions: + contents: read + checks: write + pull-requests: write steps: - name: "Check out Git repository" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml index 907f841e1b8..cf786fba6a0 100644 --- a/.github/workflows/lint-fixer.yml +++ b/.github/workflows/lint-fixer.yml @@ -2,6 +2,9 @@ name: "Let me lint:fix that for you" on: [push] +permissions: + contents: write + jobs: LMLFTFY: runs-on: ubuntu-latest diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index f999d22edf1..d99407a4182 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -1,5 +1,8 @@ name: Automatic Rebase +permissions: + contents: read + on: issue_comment: types: [created] @@ -9,6 +12,9 @@ jobs: name: Rebase if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aa11e374484..5111c2e108b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,10 +3,14 @@ on: push: tags: - v* +permissions: + contents: read env: CYCLONEDX_NPM_VERSION: '^2.0.0||^3.0.0' jobs: package: + permissions: + contents: write runs-on: ${{ matrix.os }} strategy: matrix: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0519859a7b5..45b838c8286 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,6 +5,10 @@ on: jobs: stale: + permissions: + contents: read + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e #v9.0.0 diff --git a/.github/workflows/update-challenges-ebook.yml b/.github/workflows/update-challenges-ebook.yml index 9810a5ab503..b5b41a7880e 100644 --- a/.github/workflows/update-challenges-ebook.yml +++ b/.github/workflows/update-challenges-ebook.yml @@ -1,5 +1,8 @@ name: "Update challenges in Companion Guide" +permissions: + contents: write + on: push: branches: [ master, develop ] diff --git a/.github/workflows/update-challenges-www.yml b/.github/workflows/update-challenges-www.yml index caaa7405bf1..34749cbbf80 100644 --- a/.github/workflows/update-challenges-www.yml +++ b/.github/workflows/update-challenges-www.yml @@ -6,6 +6,9 @@ on: paths: - 'data/static/challenges.yml' +permissions: + contents: write + jobs: UpdateChallengesOnWebsite: if: github.repository == 'juice-shop/juice-shop' diff --git a/.github/workflows/update-news-www.yml b/.github/workflows/update-news-www.yml index 26757465a1a..d671ec4ffed 100644 --- a/.github/workflows/update-news-www.yml +++ b/.github/workflows/update-news-www.yml @@ -7,6 +7,8 @@ on: jobs: UpdateNewsOnWebsite: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Check out Git repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 diff --git a/.github/workflows/zap_scan.yml b/.github/workflows/zap_scan.yml index 44117a146b3..c1a7c0b0128 100644 --- a/.github/workflows/zap_scan.yml +++ b/.github/workflows/zap_scan.yml @@ -8,6 +8,8 @@ jobs: zap_scan: runs-on: ubuntu-latest name: Scan Juice Shop preview instance on Heroku + permissions: + contents: read steps: - name: Check out Git repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2