From bc5b60a8bda3f1454c6d6203250d7917573e5f84 Mon Sep 17 00:00:00 2001 From: Hamlet Jiang Su Date: Mon, 23 Mar 2026 07:56:11 -0700 Subject: [PATCH] feat: lock down workflow permissions --- .github/workflows/ci.yml | 3 +++ .github/workflows/instances.yml | 20 ++++++++++++-------- .github/workflows/release.yml | 5 ++++- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07bdd787d..c9c71fb1d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: - develop workflow_dispatch: +permissions: + contents: read + jobs: linting: name: Linting & Formatting diff --git a/.github/workflows/instances.yml b/.github/workflows/instances.yml index 05fbe7514..424eb4cbc 100644 --- a/.github/workflows/instances.yml +++ b/.github/workflows/instances.yml @@ -1,13 +1,17 @@ name: instances -on: - push: - branches: - - develop - workflow_dispatch: - -jobs: - instances: +on: + push: + branches: + - develop + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + instances: name: Instances runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 30b5da6d4..1aaf97ed7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,9 @@ on: description: Is this a dry run (do not generate draft release)? default: true +permissions: + contents: write + jobs: build_android: runs-on: ubuntu-latest @@ -103,4 +106,4 @@ jobs: prerelease: ${{ steps.generate-version-info.outputs.prerelease }} draft: true artifacts: ./build/app/outputs/flutter-apk/thunder-v${{ steps.generate-version-info.outputs.version }}-*.apk - generateReleaseNotes: true \ No newline at end of file + generateReleaseNotes: true