Give read permissions to all remaining GA workflows

This commit is used to address token vulnerabilities found through the OSSF code scanner The following GA workflows were updated: - checkout-cno-ci-repo-job - checkout-tas-repo-job - bm-job-exit-trigger
intel · Mar 6, 2024 · e326349 · e326349
1 parent e02f456
commit e326349
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/bm-job-exit-trigger.yaml b/.github/workflows/bm-job-exit-trigger.yaml
@@ -18,6 +18,8 @@ on:
         description: "CNO-CI branch name"
         value: ${{ jobs.exit-trigger.outputs.cno-ci-branch-name  }}
 
+permissions:
+  contents: read
 
 jobs:
   exit-trigger:

diff --git a/.github/workflows/checkout-cno-ci-repo-job.yaml b/.github/workflows/checkout-cno-ci-repo-job.yaml
@@ -21,6 +21,9 @@ on:
         required: true
         description: 'Token required to access the CNO-CI repo'
 
+permissions:
+  contents: read
+
 jobs:
   pull-ci:
     name: Pull ansible based scripts

diff --git a/.github/workflows/checkout-tas-repo-job.yaml b/.github/workflows/checkout-tas-repo-job.yaml
@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   pull-tas:
     name: Pull TAS code