ci: scope down GitHub Token permissions (#1048)

AdnaneKhan · web-flow · commit 084a7c8154c4 · 2025-11-09T17:31:22.000Z
* ci: scope down permissions for build-runtime.yml
* ci: scope down permissions for format.yml
* ci: scope down permissions for check-examples.yml
* ci: scope down permissions for test-rie.yml
* ci: scope down permissions for closed-issue-message.yml
* ci: scope down permissions for build-integration-test.yml
* ci: scope down permissions for build-extension.yml
* ci: scope down permissions for check-docs.yml
* ci: scope down permissions for build-events.yml
diff --git a/.github/workflows/build-events.yml b/.github/workflows/build-events.yml
@@ -10,6 +10,9 @@ on:
       - "lambda-events/**"
       - "Cargo.toml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-extension.yml b/.github/workflows/build-extension.yml
@@ -16,6 +16,9 @@ on:
       - 'Cargo.toml'
 
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-integration-test.yml b/.github/workflows/build-integration-test.yml
@@ -17,6 +17,9 @@ on:
       - 'lambda-extension/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-runtime.yml b/.github/workflows/build-runtime.yml
@@ -15,6 +15,9 @@ on:
       - 'lambda-http/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml
@@ -21,6 +21,9 @@ on:
       - 'lambda-extension/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-examples.yml b/.github/workflows/check-examples.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
@@ -2,6 +2,9 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -2,6 +2,9 @@ name: Formatting and Linting
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   fmt:
     name: Cargo fmt
diff --git a/.github/workflows/test-rie.yml b/.github/workflows/test-rie.yml
@@ -6,6 +6,9 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test-rie:
     runs-on: ubuntu-latest
