Fix Token-Permissions OpenSSF remarks

aobolensk · aobolensk · commit 43ae338a9af9 · 2025-10-22T21:01:01.000+02:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -3,6 +3,9 @@ name: "Label PRs"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   label-pull-requests:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml
@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   clang-build:
     runs-on: macOS-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,6 +8,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: >-
@@ -18,10 +21,16 @@ concurrency:
 jobs:
   pre-commit:
     uses: ./.github/workflows/pre-commit.yml
+    permissions:
+      contents: read
+      packages: read
   ubuntu:
     needs:
       - pre-commit
     uses: ./.github/workflows/ubuntu.yml
+    permissions:
+      contents: read
+      packages: read
   mac:
     needs:
       - pre-commit
@@ -36,8 +45,15 @@ jobs:
       - mac
       - windows
     uses: ./.github/workflows/perf.yml
+    permissions:
+      contents: read
+      packages: read
 
   pages:
     needs:
       - perf
     uses: ./.github/workflows/pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   ubuntu-gcc-build-perf-stats:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -5,6 +5,10 @@ on:
   pull_request:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/static-analysis-pr.yml b/.github/workflows/static-analysis-pr.yml
@@ -19,6 +19,10 @@ concurrency:
         github.event_name != 'merge_group' &&
         !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }}
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   gcc-build:
     runs-on: ${{ matrix.os }}
@@ -330,6 +334,11 @@ jobs:
       - gcc-test-extended
       - clang-test-extended
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      issues: write
+      pull-requests: write
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   msvc-build:
     runs-on: windows-latest
