~ruther/qmk_firmware: Lock down workflow permissions. (#19406)

13 files changed, 41 insertions(+), 4 deletions(-)

M .github/workflows/api.yml
M .github/workflows/auto_approve.yml
M .github/workflows/auto_tag.yml
M .github/workflows/cli.yml
M .github/workflows/develop_update.yml
M .github/workflows/docs.yml
M .github/workflows/feature_branch_update.yml
M .github/workflows/format.yml
M .github/workflows/format_push.yml
M .github/workflows/labeler.yml
M .github/workflows/lint.yml
M .github/workflows/stale.yml
M .github/workflows/unit_test.yml

M .github/workflows/api.yml => .github/workflows/api.yml +3 -0

@@ 1,5 1,8 @@
 name: Update API Data
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

M .github/workflows/auto_approve.yml => .github/workflows/auto_approve.yml +2 -0

@@ 1,5 1,7 @@
 name: Automatic Approve
 
+permissions: {}
+
 on:
   schedule:
     - cron: "*/5 * * * *"

M .github/workflows/auto_tag.yml => .github/workflows/auto_tag.yml +3 -0

@@ 1,5 1,8 @@
 name: Essential files modified
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:

M .github/workflows/cli.yml => .github/workflows/cli.yml +3 -0

@@ 1,5 1,8 @@
 name: CLI CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

M .github/workflows/develop_update.yml => .github/workflows/develop_update.yml +3 -0

@@ 1,5 1,8 @@
 name: Update develop after master merge
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:

M .github/workflows/docs.yml => .github/workflows/docs.yml +3 -0

@@ 1,5 1,8 @@
 name: Generate Docs
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:

M .github/workflows/feature_branch_update.yml => .github/workflows/feature_branch_update.yml +3 -0

@@ 1,5 1,8 @@
 name: Update feature branches after develop merge
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:

M .github/workflows/format.yml => .github/workflows/format.yml +3 -0

@@ 1,5 1,8 @@
 name: PR Lint Format
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:

M .github/workflows/format_push.yml => .github/workflows/format_push.yml +3 -0

@@ 1,5 1,8 @@
 name: Lint Format
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

M .github/workflows/labeler.yml => .github/workflows/labeler.yml +4 -0

@@ 1,5 1,9 @@
 name: "Pull Request Labeler"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review, locked]

M .github/workflows/lint.yml => .github/workflows/lint.yml +3 -0

@@ 1,5 1,8 @@
 name: PR Lint keyboards
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:

M .github/workflows/stale.yml => .github/workflows/stale.yml +5 -4

@@ 1,13 1,14 @@
 name: 'Close stale issues and PRs'
-on:
-  schedule:
-    - cron: '30 1 * * *'
-  workflow_dispatch:
 
 permissions:
   issues: write
   pull-requests: write
 
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
 jobs:
   stale:
     runs-on: ubuntu-latest

M .github/workflows/unit_test.yml => .github/workflows/unit_test.yml +3 -0

@@ 1,5 1,8 @@
 name: Unit Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: