diff --git a/.github/workflows/accept-baselines-fix-lints.yaml b/.github/workflows/accept-baselines-fix-lints.yaml index d78282e952c..cccf0d235cb 100644 --- a/.github/workflows/accept-baselines-fix-lints.yaml +++ b/.github/workflows/accept-baselines-fix-lints.yaml @@ -3,10 +3,16 @@ name: Accept Baselines and Fix Lints on: workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f07f606cf5c..3f87a73e094 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,9 @@ on: - main - release-* +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 806de03ae48..31e870e4797 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,6 +21,9 @@ on: # * * * * * - cron: '30 1 * * 0' +permissions: + contents: read + jobs: CodeQL-Build: # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest diff --git a/.github/workflows/ensure-related-repos-run-crons.yml b/.github/workflows/ensure-related-repos-run-crons.yml index 265e5028bdf..f7979ca54f2 100644 --- a/.github/workflows/ensure-related-repos-run-crons.yml +++ b/.github/workflows/ensure-related-repos-run-crons.yml @@ -11,6 +11,9 @@ on: - cron: '0 0 1 * *' workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/error-deltas-watchdog.yaml b/.github/workflows/error-deltas-watchdog.yaml index ac63583b71d..c7f15c51e39 100644 --- a/.github/workflows/error-deltas-watchdog.yaml +++ b/.github/workflows/error-deltas-watchdog.yaml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 0 * * 3' # Every Wednesday +permissions: + contents: read + jobs: check-for-recent: runs-on: ubuntu-latest diff --git a/.github/workflows/new-release-branch.yaml b/.github/workflows/new-release-branch.yaml index aa658e311ab..69e652d1e09 100644 --- a/.github/workflows/new-release-branch.yaml +++ b/.github/workflows/new-release-branch.yaml @@ -4,10 +4,16 @@ on: repository_dispatch: types: new-release-branch +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/setup-node@v3 - run: | diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index de203a800d9..e365ad71fda 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -8,6 +8,9 @@ on: repository_dispatch: types: publish-nightly +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/release-branch-artifact.yaml b/.github/workflows/release-branch-artifact.yaml index 3c28faa0511..39c4426e27e 100644 --- a/.github/workflows/release-branch-artifact.yaml +++ b/.github/workflows/release-branch-artifact.yaml @@ -5,6 +5,9 @@ on: branches: - release-* +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/rich-navigation.yml b/.github/workflows/rich-navigation.yml index 758faea4c7d..531cdc7fda2 100644 --- a/.github/workflows/rich-navigation.yml +++ b/.github/workflows/rich-navigation.yml @@ -10,6 +10,9 @@ on: - main - release-* +permissions: + contents: read + jobs: richnav: runs-on: windows-latest diff --git a/.github/workflows/set-version.yaml b/.github/workflows/set-version.yaml index 6ae7b382f85..3b3bdf59c03 100644 --- a/.github/workflows/set-version.yaml +++ b/.github/workflows/set-version.yaml @@ -4,10 +4,16 @@ on: repository_dispatch: types: set-version +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/setup-node@v3 - uses: actions/checkout@v3 diff --git a/.github/workflows/sync-branch.yaml b/.github/workflows/sync-branch.yaml index ce15c88121d..5a5395978c5 100644 --- a/.github/workflows/sync-branch.yaml +++ b/.github/workflows/sync-branch.yaml @@ -9,10 +9,16 @@ on: description: 'Target Branch Name' required: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/setup-node@v3 - uses: actions/checkout@v3 diff --git a/.github/workflows/sync-wiki.yml b/.github/workflows/sync-wiki.yml index 8054832be0a..f466ff1737d 100644 --- a/.github/workflows/sync-wiki.yml +++ b/.github/workflows/sync-wiki.yml @@ -2,6 +2,9 @@ name: Sync Two Wiki Repos on: [gollum] +permissions: + contents: read + jobs: sync: runs-on: ubuntu-latest diff --git a/.github/workflows/twoslash-repros.yaml b/.github/workflows/twoslash-repros.yaml index 5f6fee2402d..3b544d16f42 100644 --- a/.github/workflows/twoslash-repros.yaml +++ b/.github/workflows/twoslash-repros.yaml @@ -19,6 +19,9 @@ on: required: false type: string +permissions: + contents: read + jobs: run: if: ${{ github.repository == 'microsoft/TypeScript' }} diff --git a/.github/workflows/update-lkg.yml b/.github/workflows/update-lkg.yml index b2fd19c02d9..86aa4d98fd4 100644 --- a/.github/workflows/update-lkg.yml +++ b/.github/workflows/update-lkg.yml @@ -3,10 +3,16 @@ name: Update LKG on: workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 diff --git a/.github/workflows/update-package-lock.yaml b/.github/workflows/update-package-lock.yaml index 6810544bda9..55340ee5010 100644 --- a/.github/workflows/update-package-lock.yaml +++ b/.github/workflows/update-package-lock.yaml @@ -7,11 +7,17 @@ on: - cron: '0 6 * * *' workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest if: github.repository == 'microsoft/TypeScript' + permissions: + contents: write + steps: - uses: actions/checkout@v3 with: