diff --git a/.github/workflows/argos.yaml b/.github/workflows/argos.yaml index a9ffe1e4d21..7526532b8bc 100644 --- a/.github/workflows/argos.yaml +++ b/.github/workflows/argos.yaml @@ -39,6 +39,9 @@ on: - 'website/**' - 'website-argos/**' +permissions: + contents: read + jobs: take-screenshots: name: take screenshots diff --git a/.github/workflows/codecov-next.yaml b/.github/workflows/codecov-next.yaml index 4400fbbf06d..3e98a2ed860 100644 --- a/.github/workflows/codecov-next.yaml +++ b/.github/workflows/codecov-next.yaml @@ -23,6 +23,9 @@ on: branches: - main +permissions: + contents: read + jobs: codecov: name: Run tests and push coverage result diff --git a/.github/workflows/merge-group.yaml b/.github/workflows/merge-group.yaml index 91db089254e..55f6201302a 100644 --- a/.github/workflows/merge-group.yaml +++ b/.github/workflows/merge-group.yaml @@ -19,6 +19,9 @@ name: merge-queue on: merge_group: +permissions: + contents: read + jobs: dco: name: DCO diff --git a/.github/workflows/publish-flathub.yaml b/.github/workflows/publish-flathub.yaml index 6e38f8e4287..8abd53db49e 100644 --- a/.github/workflows/publish-flathub.yaml +++ b/.github/workflows/publish-flathub.yaml @@ -26,9 +26,14 @@ on: repository_dispatch: types: [ publish-to-flathub ] +permissions: + contents: read + jobs: update-flathub: + permissions: + contents: write # for Git to git push name: Publish Podman Desktop to flathub runs-on: ubuntu-24.04 steps: diff --git a/.github/workflows/publish-to-brew.yaml b/.github/workflows/publish-to-brew.yaml index abd892e064a..8bda9631430 100644 --- a/.github/workflows/publish-to-brew.yaml +++ b/.github/workflows/publish-to-brew.yaml @@ -26,6 +26,9 @@ on: repository_dispatch: types: [ publish-to-brew ] +permissions: + contents: read + jobs: publish-to-brew: diff --git a/.github/workflows/publish-to-chocolatey.yaml b/.github/workflows/publish-to-chocolatey.yaml index 040a27bce17..50c6984a4b0 100644 --- a/.github/workflows/publish-to-chocolatey.yaml +++ b/.github/workflows/publish-to-chocolatey.yaml @@ -30,6 +30,9 @@ on: repository_dispatch: types: [ publish-to-chocolatey ] +permissions: + contents: read + jobs: version: @@ -56,6 +59,8 @@ jobs: echo "desktopVersion=$version" >> ${GITHUB_OUTPUT} winget-bump: + permissions: + contents: write # for Git to git push name: Update Chocolatey needs: version runs-on: windows-2022 diff --git a/.github/workflows/publish-to-podman_io.yaml b/.github/workflows/publish-to-podman_io.yaml index 503aa54e5fe..1634c240257 100644 --- a/.github/workflows/publish-to-podman_io.yaml +++ b/.github/workflows/publish-to-podman_io.yaml @@ -21,11 +21,16 @@ on: workflow_dispatch: inputs: version: + permissions: + contents: write # for Git to git push description: 'release version like 1.1.0' required: true repository_dispatch: types: [ publish-to-podman_io ] +permissions: + contents: read + jobs: version: diff --git a/.github/workflows/publish-to-winget.yaml b/.github/workflows/publish-to-winget.yaml index 89af8078f02..a09e3c2ac76 100644 --- a/.github/workflows/publish-to-winget.yaml +++ b/.github/workflows/publish-to-winget.yaml @@ -26,6 +26,9 @@ on: repository_dispatch: types: [ publish-to-winget ] +permissions: + contents: read + jobs: version: diff --git a/.github/workflows/website-next.yaml b/.github/workflows/website-next.yaml index 89ea755afbb..b1d8aa41c68 100644 --- a/.github/workflows/website-next.yaml +++ b/.github/workflows/website-next.yaml @@ -32,8 +32,13 @@ on: env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} +permissions: + contents: read + jobs: deploy: + permissions: + contents: write # for peaceiris/actions-gh-pages to push pages branch name: Build and deploy website runs-on: ubuntu-24.04 timeout-minutes: 60