follow the OpenSSF recommendations for github permissions (#6378)

Raffo · web-flow · commit 51995b83f4d6 · 2026-04-20T16:19:51.000+05:30
Signed-off-by: Raffaele Di Fazio &lt;raffo@github.com&gt;
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -10,6 +10,8 @@ on:
   - cron: '35 13 * * 5'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/dependency-update.yaml b/.github/workflows/dependency-update.yaml
@@ -8,14 +8,15 @@ on:
     # once a day
     - cron: '0 0 * * *'
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   update-versions-with-renovate:
     runs-on: ubuntu-latest
     if: github.repository == 'kubernetes-sigs/external-dns'
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/gh-workflow-approve.yaml b/.github/workflows/gh-workflow-approve.yaml
@@ -8,6 +8,8 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   approve:
     name: Approve ok-to-test
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -4,6 +4,8 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: {}
+
 jobs:
   lint:
     name: Markdown and Go
