diff --git a/.github/workflows/brakeman-scan-core.yml b/.github/workflows/brakeman-scan-core.yml index 25cce7f6fb..3722bf183f 100644 --- a/.github/workflows/brakeman-scan-core.yml +++ b/.github/workflows/brakeman-scan-core.yml @@ -10,8 +10,14 @@ on: schedule: - cron: '10 6 * * 1' +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results if: github.repository == 'opf/openproject' name: Brakeman Scan runs-on: ubuntu-latest diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml index f0fe5b441f..06dc824b03 100644 --- a/.github/workflows/continuous-delivery.yml +++ b/.github/workflows/continuous-delivery.yml @@ -4,8 +4,13 @@ on: branches: - dev - release/* +permissions: + contents: read + jobs: trigger_downstream_workflow: + permissions: + contents: none if: github.repository == 'opf/openproject' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/test-core.yml b/.github/workflows/test-core.yml index b86148a369..59044c7163 100644 --- a/.github/workflows/test-core.yml +++ b/.github/workflows/test-core.yml @@ -14,6 +14,9 @@ on: - 'docs/**' - 'help/**' +permissions: + contents: read + jobs: units: name: Units