CI: Set workflow permissions

tvdeyen · tvdeyen · commit 01d7f1f8d1bd · 2025-01-08T17:49:40.000+01:00
Adviced by the GH CodeQL scanner (cherry picked from commit ce3b4ad) # Conflicts: # .github/workflows/backport.yml # .github/workflows/brakeman-analysis.yml # .github/workflows/build_test.yml # .github/workflows/lint.yml
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -3,6 +3,13 @@
 
 name: Brakeman Scan
 
+concurrency:
+  group: brakeman-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,13 @@ name: Lint
 
 on: [pull_request]
 
+concurrency:
+  group: lint-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
       - 7.0-stable
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   RSpec:
     runs-on: ubuntu-22.04
