[PM-21825] Set missing workflow permissions (#5235)

2026-03-24 23:32:29 -05:00 · 2025-05-21 14:17:01 +01:00
parent 5c3008d080
commit 6ccb035ffd
8 changed files with 19 additions and 1 deletions
--- a/.github/workflows/build-authenticator.yml
+++ b/.github/workflows/build-authenticator.yml
@@ -29,6 +29,10 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  JAVA_VERSION: 17

+permissions:
+  contents: read
+  packages: read
+
 jobs:
  build:
    name: Build Authenticator
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,6 +30,10 @@ env:
  JAVA_VERSION: 17
  GITHUB_ACTION_RUN_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"

+permissions:
+  contents: read
+  packages: read
+
 jobs:
  build:
    name: Build
--- a/.github/workflows/crowdin-pull-authenticator.yml
+++ b/.github/workflows/crowdin-pull-authenticator.yml
@@ -10,6 +10,9 @@ jobs:
  crowdin-sync:
    name: Autosync
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
    env:
      _CROWDIN_PROJECT_ID: "673718"
    steps:
--- a/.github/workflows/crowdin-pull.yml
+++ b/.github/workflows/crowdin-pull.yml
@@ -10,6 +10,9 @@ jobs:
  crowdin-sync:
    name: Autosync
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
    env:
      _CROWDIN_PROJECT_ID: "269690"
    steps:
--- a/.github/workflows/crowdin-push-authenticator.yml
+++ b/.github/workflows/crowdin-push-authenticator.yml
@@ -13,6 +13,8 @@ jobs:
  crowdin-push:
    name: Crowdin Push
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    env:
      _CROWDIN_PROJECT_ID: "673718"
    steps:
--- a/.github/workflows/crowdin-push.yml
+++ b/.github/workflows/crowdin-push.yml
@@ -10,6 +10,8 @@ jobs:
  crowdin-push:
    name: Crowdin Push
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    env:
      _CROWDIN_PROJECT_ID: "269690"
    steps:
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -41,7 +41,6 @@ jobs:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
-      actions: read

    steps:
      - name: Check out repository
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -15,6 +15,7 @@ jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions: read-all

  sast:
    name: SAST scan