Fixed permission for workflow (cli#5279)

neilnaveen · mislav · web-flow · commit 07e0e52edd52 · 2022-03-14T14:18:21.000+01:00
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Co-authored-by: Mislav Marohnić <mislav@github.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,6 +10,11 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions:
+  actions: read  # for github/codeql-action/init to get workflow details
+  contents: read  # for actions/checkout to fetch code
+  security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,5 +1,9 @@
 name: Tests
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/issueauto.yml b/.github/workflows/issueauto.yml
@@ -2,16 +2,21 @@ name: Issue Automation
 on:
   issues:
     types: [opened]
+
+permissions:
+  contents: none
+  issues: write
+
 jobs:
   issue-auto:
     runs-on: ubuntu-latest
     steps:
       - name: label incoming issue
         env:
-         GH_REPO: ${{ github.repository }}
-         GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
-         ISSUENUM: ${{ github.event.issue.number }}
-         ISSUEAUTHOR: ${{ github.event.issue.user.login }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          ISSUENUM: ${{ github.event.issue.number }}
+          ISSUEAUTHOR: ${{ github.event.issue.user.login }}
         run: |
           if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null
           then
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ on:
       - go.mod
       - go.sum
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prauto.yml b/.github/workflows/prauto.yml
@@ -2,6 +2,12 @@ name: PR Automation
 on:
   pull_request_target:
     types: [ready_for_review, opened, reopened]
+
+permissions:
+  contents: none
+  issues: write
+  pull-requests: write
+
 jobs:
   pr-auto:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: write  # publishing releases
+  repository-projects: write  # move cards between columns
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
