Added permissions to override repo/org settings w/ least privileges required for improved security (https://cwe.mitre.org/data/definitions/275.html)

adamlui · adamlui · commit 0af2ff5267b0 · 2025-01-11T14:10:42.000-08:00
diff --git a/.github/workflows/lint-on-push-pr.yml b/.github/workflows/lint-on-push-pr.yml
@@ -1,6 +1,9 @@
 name: Lint pushes/PRs
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
 
   js-json-md-yaml-lint:
diff --git a/.github/workflows/publish-latest-release-to-npm.yml b/.github/workflows/publish-latest-release-to-npm.yml
@@ -1,7 +1,9 @@
 name: Publish latest release to npm
-
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sync-chatgpt.js-changes-to-chrome-starter.yml b/.github/workflows/sync-chatgpt.js-changes-to-chrome-starter.yml
@@ -5,6 +5,9 @@ on:
     branches: [master, main]
     paths: [chatgpt.js]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: (github.repository == 'KudoAI/chatgpt.js') && (github.event.commits[0].committer.username != 'kudo-sync-bot')
diff --git a/.github/workflows/sync-chrome-starter-changes.yml b/.github/workflows/sync-chrome-starter-changes.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
     paths: [starters/chrome/**]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: (github.repository == 'KudoAI/chatgpt.js') && (github.event.commits[0].committer.username != 'kudo-sync-bot')
diff --git a/.github/workflows/sync-en-readme-changes.yml b/.github/workflows/sync-en-readme-changes.yml
@@ -7,6 +7,9 @@ on:
       - README.md
       - docs/README.md
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: (github.repository == 'KudoAI/chatgpt.js') && (github.event.commits[0].committer.username != 'kudo-sync-bot')
diff --git a/.github/workflows/sync-greasemonkey-starter-changes.yml b/.github/workflows/sync-greasemonkey-starter-changes.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
     paths: [starters/greasemonkey/**]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: (github.repository == 'KudoAI/chatgpt.js') && (github.event.commits[0].committer.username != 'kudo-sync-bot')
