diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index b32c0a2647..e7c63eed9a 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -3,6 +3,8 @@ # https://github.com/codespell-project/codespell name: codespell on: [push, pull_request] +permissions: + contents: read # to fetch code (actions/checkout) jobs: codespell: name: Check for spelling errors diff --git a/.github/workflows/generate_files.yml b/.github/workflows/generate_files.yml index c1562b3918..bbeef6eaee 100644 --- a/.github/workflows/generate_files.yml +++ b/.github/workflows/generate_files.yml @@ -9,8 +9,12 @@ on: # to exclude it. - '!21.x' +permissions: {} jobs: cmake: + permissions: + contents: write # for git push + if: github.repository == 'protocolbuffers/protobuf' runs-on: ubuntu-latest diff --git a/.github/workflows/objc_cocoapods.yml b/.github/workflows/objc_cocoapods.yml index d828ae390c..939e89096e 100644 --- a/.github/workflows/objc_cocoapods.yml +++ b/.github/workflows/objc_cocoapods.yml @@ -18,6 +18,9 @@ on: - '!objectivec/ProtocolBuffers_*.xcodeproj/**' - '!objectivec/Tests/**' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: pod-lib-lint: runs-on: macos-latest diff --git a/.github/workflows/php-ext.yml b/.github/workflows/php-ext.yml index 17b6adf9d5..da7e6f8165 100644 --- a/.github/workflows/php-ext.yml +++ b/.github/workflows/php-ext.yml @@ -4,6 +4,9 @@ on: - push - pull_request +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build-php: name: Build PHP extension diff --git a/.github/workflows/update_php_repo.yml b/.github/workflows/update_php_repo.yml index 2224cd209e..4af48dc107 100644 --- a/.github/workflows/update_php_repo.yml +++ b/.github/workflows/update_php_repo.yml @@ -6,6 +6,9 @@ on: - v[0-9]+.[0-9]+ - v[0-9]+.[0-9]+-rc[0-9]+ +permissions: + contents: read # to fetch code in 'Clone protobuf' (actions/checkout) + jobs: update-repo: name: Update PHP Repo