ci: improve permissions on pipeline

deandreamatias · deandreamatias · commit d02ae232cb6a · 2026-02-01T14:10:14.000+01:00
diff --git a/.github/workflows/base-beta.yaml b/.github/workflows/base-beta.yaml
@@ -13,6 +13,8 @@ on:
 
   workflow_dispatch:
 
+  permissions:
+    contents: read
 # This ensures that previous jobs for the PR are canceled when PR is updated
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/base.yaml b/.github/workflows/base.yaml
@@ -11,6 +11,9 @@ on:
 
   workflow_dispatch:
 
+  permissions:
+    contents: read
+
 # This ensures that previous jobs for the PR are canceled when PR is updated
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: PR Conventional Commit Validation
+        permissions:
+          contents: read
         uses:  ytanikin/PRConventionalCommits@1.3.0
         with:
          task_types: '["feat","fix","docs","test","ci","refactor","perf","chore","revert"]'
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -6,6 +6,10 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: write
     steps:
       - uses: actions/stale@v10
         with:
