This adds a top-level permissions block to all workflows in wolfi-dev…

…/tools (#86) Signed-off-by: Matt Moore <[email protected]>
wolfi-dev · Jan 4, 2024 · ae1ce39 · ae1ce39
1 parent 8f7c500
commit ae1ce39
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/.github/workflows/add-issues-to-project-images.yaml b/.github/workflows/add-issues-to-project-images.yaml
@@ -5,6 +5,8 @@ on:
     types:
       - opened
 
+permissions: {}
+
 jobs:
   add-to-project:
     name: Add issue to project

diff --git a/.github/workflows/presubmit-build.yaml b/.github/workflows/presubmit-build.yaml
@@ -1,6 +1,9 @@
 on:
   pull_request:
 
+permissions:
+  contents: read # Needed to clone the repo
+
 jobs:
   alpine-base:
     uses: ./.github/workflows/.build.yaml
@@ -23,12 +26,12 @@ jobs:
     with:
       image: melange
       melange-config: configs/latest.melange.yaml
-      
+
   musl-dynamic:
     uses: ./.github/workflows/.build.yaml
     with:
       image: musl-dynamic
-      
+
   sdk:
     uses: ./.github/workflows/.build.yaml
     with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,9 +9,9 @@ on:
 concurrency: release
 
 permissions:
-  id-token: write
-  packages: write
-  contents: read
+  contents: read  # Needed to clone the repo
+  id-token: write # Needed to sign images
+  packages: write # Needed to publish images to GHCR
 
 jobs:
   alpine-base:
@@ -39,13 +39,13 @@ jobs:
       image: melange
       melange-config: configs/latest.melange.yaml
       registry: ghcr.io/wolfi-dev/melange
-      
+
   musl-dynamic:
     uses: ./.github/workflows/.build.yaml
     with:
       image: musl-dynamic
       registry: ghcr.io/wolfi-dev/musl-dynamic
-      
+
   sdk:
     uses: ./.github/workflows/.build.yaml
     with:
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,8 @@ on: @@
         types:
           - opened
+    permissions: {}
     jobs:
       add-to-project:
         name: Add issue to project
@@ Expand Down @@