From 67cafd951cdd40fe060c11e0b60de9842979ab5e Mon Sep 17 00:00:00 2001
From: Luke Heath <luke@fleetdm.com>
Date: Mon, 8 Dec 2025 22:31:46 -0800
Subject: [PATCH] Set permission level in FMA workflows (#36930)

---
 .github/workflows/test-fma-darwin-pr-only.yml |  3 +++
 .github/workflows/test-fma-darwin.yml         | 25 +++++++++++--------
 .../workflows/test-fma-windows-pr-only.yml    |  3 +++
 .github/workflows/test-fma-windows.yml        | 21 +++++++++-------
 4 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/test-fma-darwin-pr-only.yml b/.github/workflows/test-fma-darwin-pr-only.yml
index 893b09a634..4f3145cb35 100644
--- a/.github/workflows/test-fma-darwin-pr-only.yml
+++ b/.github/workflows/test-fma-darwin-pr-only.yml
@@ -23,6 +23,9 @@ on:
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   test-fma-pr-only:
     env:
diff --git a/.github/workflows/test-fma-darwin.yml b/.github/workflows/test-fma-darwin.yml
index 6d587ecba8..dc157d5a3d 100644
--- a/.github/workflows/test-fma-darwin.yml
+++ b/.github/workflows/test-fma-darwin.yml
@@ -1,24 +1,27 @@
 name: Test Fleet Maintained Apps - Darwin
 
-on: 
+on:
   # Note: PR triggers removed - use test-fma-darwin-pr-only.yml for PRs
   # This workflow is kept for manual testing of all FMAs via workflow_dispatch
   workflow_dispatch: # Manual trigger
     inputs:
       log_level:
-        description: 'Log level (debug, info, warn, error)'
+        description: "Log level (debug, info, warn, error)"
         required: false
-        default: 'info'
+        default: "info"
         type: choice
         options:
           - debug
           - info
           - warn
           - error
-  
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   test-fma:
     env:
@@ -27,17 +30,17 @@ jobs:
 
     steps:
       - name: Checkout Fleet
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: fleetdm/fleet
           fetch-depth: 1
           ref: ${{ github.ref }}
           path: fleet
-      
+
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version-file: 'fleet/go.mod'
+          go-version-file: "fleet/go.mod"
 
       - name: Install osquery mac
         run: |
@@ -48,8 +51,8 @@ jobs:
           sudo cp -r private /
           sudo ln -sf /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd /usr/local/bin/osqueryi
           sudo ln -sf /opt/osquery/lib/osquery.app/Contents/Resources/osqueryctl /usr/local/bin/osqueryctl
-  
-      - name : Remove pre-installed google chrome mac
+
+      - name: Remove pre-installed google chrome mac
         run: |
           ls /Applications | grep -i "Chrome"
           find /Applications -name "*Chrome*.app" -type d | while read app;
@@ -57,7 +60,7 @@ jobs:
             echo "Removing $app..."
             sudo rm -rf "$app"
           done
-        
+
       - name: Verify Fleet Maintained Apps mac
         run: |
           ls /Applications
diff --git a/.github/workflows/test-fma-windows-pr-only.yml b/.github/workflows/test-fma-windows-pr-only.yml
index acc1e809f6..4ad2447c40 100644
--- a/.github/workflows/test-fma-windows-pr-only.yml
+++ b/.github/workflows/test-fma-windows-pr-only.yml
@@ -23,6 +23,9 @@ on:
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   test-fma-pr-only:
     env:
diff --git a/.github/workflows/test-fma-windows.yml b/.github/workflows/test-fma-windows.yml
index 77184cc348..ab0b7ee8d9 100644
--- a/.github/workflows/test-fma-windows.yml
+++ b/.github/workflows/test-fma-windows.yml
@@ -1,24 +1,27 @@
 name: Test Fleet Maintained Apps - Windows
 
-on: 
+on:
   # Note: PR triggers removed - use test-fma-windows-pr-only.yml for PRs
   # This workflow is kept for manual testing of all FMAs via workflow_dispatch
   workflow_dispatch: # Manual trigger
     inputs:
       log_level:
-        description: 'Log level (debug, info, warn, error)'
+        description: "Log level (debug, info, warn, error)"
         required: false
-        default: 'info'
+        default: "info"
         type: choice
         options:
           - debug
           - info
           - warn
           - error
-  
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   test-fma:
     env:
@@ -27,17 +30,17 @@ jobs:
 
     steps:
       - name: Checkout Fleet
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: fleetdm/fleet
           fetch-depth: 1
           ref: ${{ github.ref }}
           path: fleet
-      
+
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version-file: 'fleet/go.mod'
+          go-version-file: "fleet/go.mod"
 
       - name: Install osquery windows
         run: |
@@ -49,7 +52,7 @@ jobs:
           echo "Adding to PATH: $osqueryPath"
           echo $osqueryPath | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
         shell: pwsh
-      
+
       - name: Remove pre-installed google chrome
         run: |
           Write-Host "Listing all installed packages containing 'Chrome':"