Constrain GH Actions workflows permissions (#2625)

2025-10-30 06:33:51 +00:00 · 2021-10-26 10:55:27 +02:00
parent a01f5f5cf1
commit c612a3bf60
3 changed files with 16 additions and 0 deletions
--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -17,6 +17,10 @@ on:
      - 'requirements*.txt'
      - 'platformio.ini'

+permissions:
+  contents: read
+  packages: read
+
 jobs:
  check-docker:
    name: Build docker containers
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:

  pull_request:

+permissions:
+  contents: read
+
 jobs:
  ci:
    name: ${{ matrix.name }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
  schedule:
    - cron: "0 2 * * *"

+permissions:
+  contents: read
+
 jobs:
  init:
    name: Initialize build
@@ -52,6 +55,9 @@ jobs:
  deploy-docker:
    name: Build and publish docker containers
    if: github.repository == 'esphome/esphome'
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-latest
    needs: [init]
    strategy:
@@ -93,6 +99,9 @@ jobs:

  deploy-docker-manifest:
    if: github.repository == 'esphome/esphome'
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-latest
    needs: [init, deploy-docker]
    strategy: