chore(ci): restrict workflow permissions

openfga · Nov 5, 2024 · fbbe656 · fbbe656
1 parent 29c1b72
commit fbbe656
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/config/clients/dotnet/config.overrides.json b/config/clients/dotnet/config.overrides.json
@@ -35,6 +35,10 @@
   "hashCodeMultiplierPrimeNumber": 9923,
   "supportsOpenTelemetry": true,
   "files": {
+    ".github/workflows/main.yaml.mustache": {
+      "destinationFilename": ".github/workflows/main.yaml",
+      "templateType": "SupportingFiles"
+    },
     "Client_OAuth2Client.mustache": {
       "destinationFilename": "src/OpenFga.Sdk/ApiClient/OAuth2Client.cs",
       "templateType": "SupportingFiles"

diff --git a/config/clients/dotnet/template/.github/workflows/main.yaml.mustache b/config/clients/dotnet/template/.github/workflows/main.yaml.mustache
@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -81,6 +84,9 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     needs: publish
 
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/config/common/files/.github/workflows/semgrep.yaml b/config/common/files/.github/workflows/semgrep.yaml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: Scan