chore(ci): define workflow token permissions (#79)

thevilledev · web-flow · commit 6b275bbca8bc · 2025-08-11T10:13:04.000+03:00
* chore(ci): define workflow token permissions

Best practice. Also has a minor effect on the OpenSSF scorecard.

---------

Signed-off-by: Ville Vesilehto &lt;ville.vesilehto@upcloud.com&gt;
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -8,11 +8,16 @@ on:
       - main
       - test-docs-generator # for testing
 
+permissions:
+  contents: read
+
 jobs:
   update:
     name: Update
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,6 +1,13 @@
 name: Lint
 on:
   pull_request:
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/lint.yaml'
+permissions:
+  contents: read
 jobs:
   golangci-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/notify-integration-release-via-manual.yaml b/.github/workflows/notify-integration-release-via-manual.yaml
@@ -12,9 +12,15 @@ on:
         description: "A branch or SHA"
         default: 'main'
         required: false
+
+permissions:
+  contents: read
+
 jobs:
   notify-release:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Checkout this repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/notify-integration-release-via-tag.yaml b/.github/workflows/notify-integration-release-via-tag.yaml
@@ -2,10 +2,16 @@ name: Notify Integration Release (Tag)
 on:
   push:
     tags:
-      - '*.*.*'   # Proper releases
+      - 'v*.*.*'   # Proper releases
+
+permissions:
+  contents: read
+
 jobs:
   strip-version:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     outputs:
       packer-version: ${{ steps.strip.outputs.packer-version }}
     steps:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,9 +3,17 @@ on:
   push:
     tags:
       - "v*"
+
+permissions:
+  contents: read
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
     steps:
       - name: Checkout head
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/test-plugin-example.yml b/.github/workflows/test-plugin-example.yml
@@ -16,6 +16,9 @@ on:
         required: false
         default: "./example"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
