CI: Add GitHub token permissions for workflows (#36325)

varunsh-coder · XhmikosR · web-flow · commit 471edac3d3ca · 2022-12-16T09:20:12.000+02:00
Co-authored-by: XhmikosR &lt;xhmikosr@gmail.com&gt;
diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml
@@ -8,6 +8,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   browserstack:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/bundlewatch.yml b/.github/workflows/bundlewatch.yml
@@ -11,6 +11,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   bundlewatch:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml
@@ -10,8 +10,15 @@ on:
 env:
   FORCE_COLOR: 2
 
+permissions:
+  contents: read
+
 jobs:
   cspell:
+    permissions:
+      # allow streetsidesoftware/cspell-action to fetch files for commits and PRs
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/css.yml b/.github/workflows/css.yml
@@ -11,6 +11,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   css:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml
@@ -4,8 +4,15 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   issue-close-require:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.repository == 'twbs/bootstrap'
     steps:
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
@@ -4,8 +4,15 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
     if: github.repository == 'twbs/bootstrap'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml
@@ -11,8 +11,15 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   run:
+    permissions:
+      # allow coverallsapp/github-action to create new checks issues and fetch code
+      checks: write
+      contents: read
     name: JS Tests
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/node-sass.yml b/.github/workflows/node-sass.yml
@@ -11,6 +11,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   css:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
@@ -6,8 +6,15 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.repository == 'twbs/bootstrap'
     steps:
