diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml index 70809a1156a..56d2b48c3be 100644 --- a/.github/workflows/clang-format-check.yml +++ b/.github/workflows/clang-format-check.yml @@ -1,6 +1,8 @@ name: clang-format Check on: pull_request: +permissions: + contents: read jobs: formatting-check: name: Formatting Check diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index 00d23529cbd..59811181f9b 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -11,11 +11,15 @@ name: clang-format Commit Changes on: workflow_dispatch: push: +permissions: + contents: read jobs: formatting-check: name: Commit Format Changes runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, 'skip-ci')" + permissions: + contents: write # In order to allow EndBug/add-and-commit to commit changes steps: - uses: actions/checkout@v3 - name: Fix C and Java formatting issues detected by clang-format diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index c21872d2ee6..02d82056320 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -9,6 +9,9 @@ on: required: true type: string +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index ddf10389c1e..37294bf2203 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -3,6 +3,8 @@ # https://github.com/codespell-project/actions-codespell name: codespell on: [push, pull_request] +permissions: + contents: read jobs: codespell: name: Check for spelling errors diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 0e040cae83a..04e52aca92e 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. jobs: diff --git a/.github/workflows/hdfeos5.yml b/.github/workflows/hdfeos5.yml index 03c97462963..089e8df4e69 100644 --- a/.github/workflows/hdfeos5.yml +++ b/.github/workflows/hdfeos5.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build hdfeos5 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0711d0077cf..889258829d6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. We just have one job, but the matrix items defined below will # run in parallel. diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml index 12f3438d557..e68cb640d34 100644 --- a/.github/workflows/tarball.yml +++ b/.github/workflows/tarball.yml @@ -11,6 +11,9 @@ on: description: "The common base name of the source tarballs" value: ${{ jobs.create_tarball.outputs.file_base }} +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: