build: explicitly set permissions for workflows

Planeshifter · Planeshifter · commit 970198408583 · 2023-12-12T21:24:00.000-05:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -31,6 +31,11 @@ on:
   # Allow the workflow to be manually run:
   workflow_dispatch:
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
 
diff --git a/.github/workflows/process_metadata.yml b/.github/workflows/process_metadata.yml
@@ -27,6 +27,11 @@ on:
   issue_comment:
     types: [created, edited]
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
 
diff --git a/.github/workflows/scaffold_pkg_via_branch_push.yml b/.github/workflows/scaffold_pkg_via_branch_push.yml
@@ -26,6 +26,11 @@ on:
       - 'scaffold/**'
       - 'scaffold-**/**'
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
 
diff --git a/.github/workflows/scaffold_pkg_via_issue_comment.yml b/.github/workflows/scaffold_pkg_via_issue_comment.yml
@@ -24,6 +24,11 @@ on:
   issue_comment:
     types: [created]
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
   scaffold:
diff --git a/.github/workflows/scaffold_pkg_via_pull_request_assignment.yml b/.github/workflows/scaffold_pkg_via_pull_request_assignment.yml
@@ -24,6 +24,11 @@ on:
   pull_request_target:
     types: [assigned]
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
 
diff --git a/.github/workflows/terminal.yml b/.github/workflows/terminal.yml
@@ -23,6 +23,11 @@ name: terminal
 on:
   workflow_dispatch:
 
+# Global permissions:
+permissions:
+  # Allow read-only access to the repository contents:
+  contents: read
+
 # Workflow jobs:
 jobs:
 
