OpenSSF Scorecard - Set token-permissions to content-read (#4125)

Kielek · web-flow · commit 9c5f51c467d1 · 2025-04-03T13:16:17.000+02:00
diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml
@@ -3,6 +3,9 @@ name: Build on Containers
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
diff --git a/.github/workflows/build-nuget-packages.yml b/.github/workflows/build-nuget-packages.yml
@@ -8,6 +8,8 @@ on:
         description: "The NuGet version suffix to build the packages"
         value: ${{ jobs.build-nuget-packages.outputs.nuget-version-suffix }}
 
+permissions:
+  contents: read
 
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
diff --git a/.github/workflows/build-ubuntu1604-native-container.yml b/.github/workflows/build-ubuntu1604-native-container.yml
@@ -3,6 +3,9 @@ name: Build on Ubuntu 16.04 Native Container
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,6 +7,9 @@ env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/check-sdk-versions.yml b/.github/workflows/check-sdk-versions.yml
@@ -7,6 +7,9 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-sdk-versions:
     runs-on: windows-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
 
+permissions:
+  contents: read
+
 jobs:
   build-container:
     uses: ./.github/workflows/build-container.yml
diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml
@@ -11,6 +11,9 @@ on:
     - examples/demo/**
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dotnet-format.yml b/.github/workflows/dotnet-format.yml
@@ -14,6 +14,9 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-format:
     runs-on: windows-latest
diff --git a/.github/workflows/format-native.yml b/.github/workflows/format-native.yml
@@ -7,6 +7,9 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-native-format:
     strategy:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   powershell-script:
     runs-on: windows-2022
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     tags: [ v* ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/packages
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -7,6 +7,9 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-documentation.yml b/.github/workflows/validate-documentation.yml
@@ -16,6 +16,9 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/verify-test.yml b/.github/workflows/verify-test.yml
@@ -12,6 +12,9 @@ on:
         description: 'Test execution count'
         default: '20'
 
+permissions:
+  contents: read
+
 jobs:
   verify-test:
     strategy:
