chore(ci): address codeql alerts

kelly-sovacool · kelly-sovacool · commit 25fa5fea1e01 · 2025-04-08T10:53:21.000-04:00
explicitly set permissions for gha workflows
diff --git a/.github/workflows/build-docker-auto.yml b/.github/workflows/build-docker-auto.yml
@@ -19,6 +19,9 @@
 
 name: build-docker-auto
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/build-docker-manual.yml b/.github/workflows/build-docker-manual.yml
@@ -20,6 +20,9 @@
 name: build-docker-manual
 run-name: build-docker ${{ inputs.dockerfile }}-${{ inputs.suffix }}
 
+permissions:
+  contents: write
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
@@ -12,6 +12,9 @@ on:
         type: string
         default: ""
 
+permissions:
+  contents: write
+
 jobs:
   draft-release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/techdev-project.yml b/.github/workflows/techdev-project.yml
@@ -8,6 +8,10 @@ on:
     types:
       - opened
 
+permissions:
+  issues: read
+  pull-requests: read
+
 jobs:
   add-to-project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/user-projects.yml b/.github/workflows/user-projects.yml
@@ -8,6 +8,10 @@ on:
     types:
       - assigned
 
+permissions:
+  issues: read
+  pull-requests: read
+
 jobs:
   add-to-project:
     uses: CCBR/.github/.github/workflows/auto-add-user-project.yml@v0.1.0
