diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml index 0989df64b9..2dc7fb5a3e 100644 --- a/.github/workflows/automation.yml +++ b/.github/workflows/automation.yml @@ -7,6 +7,7 @@ on: pull_request_target: issue_comment: +permissions: {} jobs: label: name: Labeling diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index a29519b296..f7fbc4706d 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -9,6 +9,7 @@ on: - labeled - synchronize +permissions: {} jobs: rebase: name: Rebase @@ -34,6 +35,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }} check-backport: + permissions: + contents: read + name: Check Backport if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }} runs-on: ubuntu-latest diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 390d140fd5..a82579f1b1 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -5,6 +5,8 @@ on: - master pull_request_target: +permissions: {} + jobs: openapi-head: name: OpenAPI - HEAD @@ -55,6 +57,9 @@ jobs: path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json openapi-diff: + permissions: + pull-requests: write # to create or update comment (peter-evans/create-or-update-comment) + name: OpenAPI - Difference if: ${{ github.event_name == 'pull_request_target' }} runs-on: ubuntu-latest diff --git a/.github/workflows/repo-stale.yaml b/.github/workflows/repo-stale.yaml index f7a77f02b1..1c6fe1492f 100644 --- a/.github/workflows/repo-stale.yaml +++ b/.github/workflows/repo-stale.yaml @@ -5,6 +5,7 @@ on: - cron: '30 1 * * *' workflow_dispatch: +permissions: {} jobs: stale: runs-on: ubuntu-latest