From b1eb8a192da04bf53965121bd6aee6cd2c297cba Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Fri, 1 Jul 2022 21:33:50 -0700
Subject: [PATCH] ci: set permissions for all workflows (#16378)

---
 .github/workflows/build.yml        | 3 +++
 .github/workflows/release-npm.yml  | 3 +++
 .github/workflows/stale-action.yml | 4 ++++
 .github/workflows/ws_scan.yaml     | 3 +++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2999333f19..4de1cc5078 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,9 @@ on:
         default: 'true'
         required: false
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index c79203ae20..ae0d9116b8 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -23,6 +23,9 @@ env:
   NPM_VERSION: ${{ github.event.client_payload.version }}
   NPM_TAG: ${{ github.event.client_payload.tag }}
 
+permissions:
+  contents: read
+
 jobs:
   release-npm:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-action.yml b/.github/workflows/stale-action.yml
index fff524ac1e..e11c364d79 100644
--- a/.github/workflows/stale-action.yml
+++ b/.github/workflows/stale-action.yml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ws_scan.yaml b/.github/workflows/ws_scan.yaml
index 0b592c3929..1b4f5825c4 100644
--- a/.github/workflows/ws_scan.yaml
+++ b/.github/workflows/ws_scan.yaml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   WS_SCAN:
     runs-on: ubuntu-latest
-- 
GitLab