ci: add minimum GitHub token permissions for workflows (argoproj#9552)

ashishkurmi · juchaosong · commit 491e69f50085 · 2022-11-03T13:42:23.000+08:00
Signed-off-by: juchao &lt;juchao@coscene.io&gt;
diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
@@ -5,8 +5,14 @@ on:
     tags:
       - v*
       - "!v0.0.0"
+permissions:
+  contents: read
+
 jobs:
   generate_changelog:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     if: github.repository == 'argoproj/argo-workflows'
     runs-on: ubuntu-latest
     name: Generate changelog
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Unit Tests
diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -16,6 +16,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build-linux-amd64:
     name: Build & push linux/amd64
@@ -317,6 +320,8 @@ jobs:
           done
 
   publish-release:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     runs-on: ubuntu-latest
     if: github.repository == 'argoproj/argo-workflows'
     needs: [ push-images, test-images-linux-amd64, test-images-windows ]
diff --git a/.github/workflows/sdks.yaml b/.github/workflows/sdks.yaml
@@ -3,8 +3,16 @@ on:
   push:
     tags:
       - v*
+
+permissions:
+  contents: read
+
 jobs:
   sdk:
+    permissions:
+      contents: read
+      packages: write # for publishing packages
+      contents: write  # for creating releases
     if: github.repository == 'argoproj/argo-workflows'
     runs-on: ubuntu-latest
     name: Publish SDK
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -2,6 +2,9 @@ name: Snyk
 on:
   schedule:
     - cron: "30 2 * * *"
+permissions:
+  contents: read
+
 jobs:
   # we do not scan images here, they're scanned here: https://app.snyk.io/org/argoproj/projects
 
