From: Andrew Clayton Date: Wed, 10 Jun 2026 04:52:46 +0000 (+0100) Subject: GH: explicitly set permissions in workflows X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/NGINX-js-1660x332.png%20%22NGINX%20JavaScript%20Banner%22?a=commitdiff_plain;ds=inline;p=nginx.git GH: explicitly set permissions in workflows These will override the default repo/org GITHUB_TOKEN scope. --- diff --git a/.github/workflows/buildbot.yml b/.github/workflows/buildbot.yml index 484b74f98..490491f36 100644 --- a/.github/workflows/buildbot.yml +++ b/.github/workflows/buildbot.yml @@ -6,6 +6,9 @@ on: - master - 'stable-1.*' +permissions: + contents: read + jobs: buildbot: uses: nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml@main diff --git a/.github/workflows/check-commit-message.yaml b/.github/workflows/check-commit-message.yaml index 3f0cc8041..aedf45c34 100644 --- a/.github/workflows/check-commit-message.yaml +++ b/.github/workflows/check-commit-message.yaml @@ -7,6 +7,9 @@ on: pull_request: types: [ opened, synchronize ] +permissions: + contents: read + jobs: check-commit-messages: runs-on: ubuntu-24.04 diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index 92c0ea6bf..ccde32057 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -3,6 +3,10 @@ name: check-pr on: pull_request: +permissions: + contents: read + pull-requests: read + jobs: check-pr: uses: nginx/ci-self-hosted/.github/workflows/nginx-check-pr.yml@main diff --git a/.github/workflows/check-version-bump.yaml b/.github/workflows/check-version-bump.yaml index d7e12c8e3..0f2321dda 100644 --- a/.github/workflows/check-version-bump.yaml +++ b/.github/workflows/check-version-bump.yaml @@ -4,6 +4,9 @@ on: pull_request: types: [ opened, synchronize ] +permissions: + contents: read + jobs: check-version-bump: runs-on: ubuntu-24.04 diff --git a/.github/workflows/check-whitespace.yaml b/.github/workflows/check-whitespace.yaml index e76bd1530..2b127d763 100644 --- a/.github/workflows/check-whitespace.yaml +++ b/.github/workflows/check-whitespace.yaml @@ -6,6 +6,9 @@ on: pull_request: types: [ opened, synchronize ] +permissions: + contents: read + jobs: check-whitespace: runs-on: ubuntu-24.04