CI: Consistently add a top-level permissions definition to GHA workflows

This makes it easy to verify the permissions and to apply them to all jobs within a given workflow.
2026-05-28 04:12:17 -04:00 · 2026-04-12 21:24:19 +02:00 · 2026-04-12 21:24:19 +02:00 · a4737cca08
commit a4737cca08
parent 991d5dabe0
6 changed files with 16 additions and 8 deletions
--- a/.github/workflows/aws-lc-fips.yml
+++ b/.github/workflows/aws-lc-fips.yml
@ -5,6 +5,9 @@ on:
    - cron: "0 0 * * 4"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  test:
    uses: ./.github/workflows/aws-lc-template.yml
--- a/.github/workflows/aws-lc.yml
+++ b/.github/workflows/aws-lc.yml
@ -5,6 +5,9 @@ on:
    - cron: "0 0 * * 4"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  test:
    uses: ./.github/workflows/aws-lc-template.yml
--- a/.github/workflows/illumos.yml
+++ b/.github/workflows/illumos.yml
@ -5,12 +5,13 @@ on:
    - cron: "0 0 25 * *"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  gcc:
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
    steps:
      - name: "Checkout repository"
        uses: actions/checkout@v5
--- a/.github/workflows/netbsd.yml
+++ b/.github/workflows/netbsd.yml
@ -5,12 +5,13 @@ on:
    - cron: "0 0 25 * *"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  gcc:
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
    steps:
      - name: "Checkout repository"
        uses: actions/checkout@v5
--- a/.github/workflows/quic-interop-aws-lc.yml
+++ b/.github/workflows/quic-interop-aws-lc.yml
@ -9,13 +9,13 @@ on:
  schedule:
    - cron: "0 0 * * 2"

+permissions:
+  contents: read

 jobs:
  combined-build-and-run:
    runs-on: ubuntu-24.04
    if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read

    steps:
      - uses: actions/checkout@v5
--- a/.github/workflows/quic-interop-libressl.yml
+++ b/.github/workflows/quic-interop-libressl.yml
@ -9,13 +9,13 @@ on:
  schedule:
    - cron: "0 0 * * 2"

+permissions:
+  contents: read

 jobs:
  combined-build-and-run:
    runs-on: ubuntu-24.04
    if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read

    steps:
      - uses: actions/checkout@v5