Add explicit permissions block to GitHub Actions workflows (#5151)

jitu5 · web-flow · commit 21fcc1e820f6 · 2025-10-07T16:10:31.000+01:00
diff --git a/.github/workflows/all-checks.yml b/.github/workflows/all-checks.yml
@@ -21,6 +21,9 @@ on:
       - "docs/**"
       - '**.md'
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     strategy:
diff --git a/.github/workflows/auto-merge-prs.yml b/.github/workflows/auto-merge-prs.yml
@@ -9,6 +9,9 @@ on:
 
 jobs:
   automerge:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/benchmark-performance.yml b/.github/workflows/benchmark-performance.yml
@@ -10,6 +10,8 @@ on:
 jobs:
 
   benchmark:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/check-release.yml b/.github/workflows/check-release.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   check-version:
     runs-on: ubuntu-latest
@@ -37,6 +40,8 @@ jobs:
     uses: ./.github/workflows/all-checks.yml
 
   build-publish:
+    permissions:
+      contents: write
     needs: [check-version, test-kedro]
     if: |
       always() &&
diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
@@ -13,6 +13,8 @@ on:
 
 jobs:
   detect-secrets:
+    permissions:
+      contents: read
     runs-on: ${{ inputs.os }}
     steps:
       - name: Checkout code
diff --git a/.github/workflows/docs-language-linter.yml b/.github/workflows/docs-language-linter.yml
@@ -8,6 +8,9 @@ on:
 
 jobs:
   vale:
+    permissions:
+      contents: read
+      pull-requests: write
     name: runner / vale
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/docs-only-checks.yml b/.github/workflows/docs-only-checks.yml
@@ -18,6 +18,8 @@ on:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ ubuntu-latest ]
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -17,6 +17,8 @@ env:
 
 jobs:
   e2e-tests:
+    permissions:
+      contents: read
     runs-on: ${{ inputs.os }}
     steps:
       - name: Checkout code
diff --git a/.github/workflows/label-community-issues.yml b/.github/workflows/label-community-issues.yml
@@ -7,6 +7,8 @@ on:
 
 jobs:
   label:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Check if issue author is a member of Kedro org
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -13,6 +13,8 @@ on:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ${{ inputs.os }}
     steps:
       - name: Checkout code
diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
@@ -6,6 +6,9 @@ on:
     # Run every day at midnight (UTC time)
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   kedro-main-test:
     uses: ./.github/workflows/all-checks.yml
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
@@ -9,6 +9,8 @@ on:
 
 jobs:
   noResponse:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: lee-dohm/no-response@v0.5.0
diff --git a/.github/workflows/pip-compile.yml b/.github/workflows/pip-compile.yml
@@ -13,6 +13,8 @@ on:
 
 jobs:
   pip-compile:
+    permissions:
+      contents: read
     runs-on: ${{ inputs.os }}
     steps:
       - name: Checkout code
diff --git a/.github/workflows/pipeline-performance-test.yml b/.github/workflows/pipeline-performance-test.yml
@@ -6,6 +6,8 @@ on:
 
 jobs:
   performance-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/release-starters.yml b/.github/workflows/release-starters.yml
@@ -6,6 +6,8 @@ on:
 
 jobs:
   trigger-release:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
@@ -9,6 +9,9 @@ on:
 
 jobs:
   sync:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -13,6 +13,8 @@ on:
 
 jobs:
   unit-tests:
+    permissions:
+      contents: read
     runs-on: ${{ inputs.os }}
     timeout-minutes: 56 # equal to max + 3*std over the last ~1000 successful runs
     steps:
