chore: add explicit GitHub workflow permissions

PiperOrigin-RevId: 815915576
2026-01-09 07:21:09 +08:00 · 2025-10-06 15:48:26 -07:00 · 2025-10-06 15:48:26 -07:00 · 417e1cfe67
commit 417e1cfe67
parent 5345efddde
9 changed files with 35 additions and 1 deletions
--- a/.github/workflows/build-catalog.yml
+++ b/.github/workflows/build-catalog.yml
@ -2,6 +2,9 @@ name: Build Catalog

 on: [push]

+permissions:
+  contents: read
+
 jobs:
  build-catalog:
    runs-on: ubuntu-latest
@ -16,4 +19,4 @@ jobs:
      - run: npm ci
      - run: npm run build:catalog
        env:
-          WIREIT_FAILURES: continue
+          WIREIT_FAILURES: continue
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@ -2,6 +2,9 @@ name: commitlint

 on: [pull_request]

+permissions:
+  contents: read
+
 jobs:
  commitlint:
    runs-on: ubuntu-latest
--- a/.github/workflows/firebase-hosting-merge.yml
+++ b/.github/workflows/firebase-hosting-merge.yml
@ -5,6 +5,10 @@ name: Deploy to Firebase Hosting on release and manual
      - published
  workflow_dispatch:
    # allows triggering from the gihub UI
+
+permissions:
+  contents: read
+
 jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
--- a/.github/workflows/firebase-hosting-pull-request.yml
+++ b/.github/workflows/firebase-hosting-pull-request.yml
@ -5,6 +5,11 @@ name: Deploy to Firebase Hosting on PR
 on:
  pull_request:
    types: [ labeled ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
  build_and_preview:
    if: github.event.label.name == 'preview-catalog' && github.event.pull_request.head.repo.full_name == github.repository
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -6,6 +6,9 @@ on:
  workflow_dispatch:
    # allows triggering from the github UI

+permissions:
+  contents: write
+
 jobs:
  check_for_changes:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -5,6 +5,9 @@ on:
    tags:
      - 'v*'

+permissions:
+  contents: read
+
 jobs:
  publish:
    runs-on: ubuntu-latest
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -2,6 +2,9 @@ name: Tests

 on: [push]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/update-docs-on-main.yml
+++ b/.github/workflows/update-docs-on-main.yml
@ -5,6 +5,11 @@ on:
    branches: main
  workflow_dispatch:
    # allows triggering from the github UI
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  check-for-doc-changes:
    runs-on: ubuntu-latest
--- a/.github/workflows/update-size-on-main.yml
+++ b/.github/workflows/update-size-on-main.yml
@ -5,6 +5,11 @@ on:
    branches: main
  workflow_dispatch:
    # allows triggering from the github UI
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  check-for-doc-changes:
    runs-on: ubuntu-latest