ci: Add GitHub token permissions for workflows (#61065)

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2026-05-18 01:49:01 +00:00 · 2022-07-05 14:53:20 -07:00
parent 3fe008f968
commit dc991ecf99
5 changed files with 20 additions and 0 deletions
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -1,6 +1,9 @@
 name: CI
 on: pull_request

+permissions:
+  contents: read
+
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/.github/workflows/UpdateCodeowners.yml
+++ b/.github/workflows/UpdateCodeowners.yml
@@ -10,6 +10,9 @@ on:
    - cron: "5 8 * * 1"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  update:
    runs-on: ubuntu-latest
--- a/.github/workflows/ghostbuster.yml
+++ b/.github/workflows/ghostbuster.yml
@@ -11,8 +11,14 @@ on:
        required: false
        default: "false"

+permissions:
+  contents: read
+
 jobs:
  ghostbust:
+    permissions:
+      contents: write  # for Git to git push
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    runs-on: ubuntu-latest
    if: github.repository == 'DefinitelyTyped/DefinitelyTyped'

--- a/.github/workflows/lint-md.yml
+++ b/.github/workflows/lint-md.yml
@@ -3,6 +3,9 @@ on:
  pull_request:
    paths:
      - '**.md'
+permissions:
+  contents: read
+
 jobs:
  lint-md:
    runs-on: ubuntu-latest
--- a/.github/workflows/support-window.yml
+++ b/.github/workflows/support-window.yml
@@ -10,8 +10,13 @@ on:
  # Manually, when TypeScript is released
  # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
  workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
  support-window:
+    permissions:
+      contents: write  # for Git to git push
    if: github.repository == 'DefinitelyTyped/DefinitelyTyped'
    runs-on: ubuntu-latest
    steps: