Merge pull request #66 from fish-shop/workflow-permissions

Remediate permissive workflow permissions
fish-shop · Jul 15, 2024 · 6be5cf4 · 6be5cf4
2 parents d9ea0d5 + af8f79c
commit 6be5cf4
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -3,6 +3,11 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   dependency-review:
+    permissions:
+      pull-requests: write
     uses: fish-shop/workflows/.github/workflows/dependency-review.yml@f951556b7e3f758443e987d8d9f6f7525309bce3 # v1.9.3
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
@@ -3,6 +3,11 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   markdown-links:
+    permissions:
+      pull-requests: write
     uses: fish-shop/workflows/.github/workflows/markdown-links.yml@f951556b7e3f758443e987d8d9f6f7525309bce3 # v1.9.3
diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml
@@ -3,6 +3,11 @@ on:
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
+
+permissions: read-all
+
 jobs:
   release-tags:
+    permissions:
+      contents: write
     uses: fish-shop/workflows/.github/workflows/release-tags.yml@f951556b7e3f758443e987d8d9f6f7525309bce3 # v1.9.3