From bdf0eb2ad7e49d649f337d741e0084d8509a2b66 Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Mon, 13 Apr 2026 14:30:37 -0500 Subject: [PATCH] Tighten workflow permissions --- .github/workflows/cd-config.yml | 4 ++++ .github/workflows/ci-config.yml | 10 ++++++++++ .github/workflows/site-ci-config.yml | 4 ++++ 3 files changed, 18 insertions(+) diff --git a/.github/workflows/cd-config.yml b/.github/workflows/cd-config.yml index 8c9297ece9e..eed4393900d 100644 --- a/.github/workflows/cd-config.yml +++ b/.github/workflows/cd-config.yml @@ -9,9 +9,13 @@ on: - inrupt-client-[0-9]+.[0-9]+.[0-9]+.Alpha[0-9]+ - inrupt-client-[0-9]+.[0-9]+.[0-9]+.Beta[0-9]+ +permissions: {} + jobs: deployment: name: Deploy artifacts + permissions: + contents: read runs-on: ubuntu-latest environment: name: ${{ matrix.envName }} diff --git a/.github/workflows/ci-config.yml b/.github/workflows/ci-config.yml index be1a18bd42e..f0974e521f8 100644 --- a/.github/workflows/ci-config.yml +++ b/.github/workflows/ci-config.yml @@ -5,9 +5,13 @@ on: pull_request: { } merge_group: { } +permissions: {} + jobs: build: name: Java environment + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -58,6 +62,8 @@ jobs: performance: name: Performance Tests + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -79,6 +85,8 @@ jobs: documentation: name: Documentation Check + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -99,6 +107,8 @@ jobs: sonar: name: Sonar Scan + permissions: + contents: read runs-on: ubuntu-latest if: ${{ github.actor != 'dependabot[bot]' }} diff --git a/.github/workflows/site-ci-config.yml b/.github/workflows/site-ci-config.yml index 97b8ea6cc46..e78e17ffa8b 100644 --- a/.github/workflows/site-ci-config.yml +++ b/.github/workflows/site-ci-config.yml @@ -6,9 +6,13 @@ on: paths: - '**/site/**' +permissions: {} + jobs: site: name: Project site + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: