diff --git a/.github/workflows/build-for-pr.yml b/.github/workflows/build-for-pr.yml index f920262cf8c..381a56054b6 100644 --- a/.github/workflows/build-for-pr.yml +++ b/.github/workflows/build-for-pr.yml @@ -9,6 +9,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b0ff6a2c231..573e8ea098b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,6 +6,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm diff --git a/.github/workflows/compatibility-matrix-testing.yml b/.github/workflows/compatibility-matrix-testing.yml index a564d773741..21b076f6538 100644 --- a/.github/workflows/compatibility-matrix-testing.yml +++ b/.github/workflows/compatibility-matrix-testing.yml @@ -11,6 +11,9 @@ on: description: "The desktop version to test" required: true +permissions: + contents: read + jobs: ## This is picked up after the finish for cleanup upload-cmt-server-detals: diff --git a/.github/workflows/e2e-functional-template.yml b/.github/workflows/e2e-functional-template.yml index ad1f580ffbf..249c896047a 100644 --- a/.github/workflows/e2e-functional-template.yml +++ b/.github/workflows/e2e-functional-template.yml @@ -114,6 +114,9 @@ on: type: string required: true +permissions: + contents: read + env: AWS_S3_BUCKET: "mattermost-cypress-report" BRANCH: ${{ github.head_ref || github.ref_name }} diff --git a/.github/workflows/e2e-functional.yml b/.github/workflows/e2e-functional.yml index 0a7ae527c15..f7b24c48385 100644 --- a/.github/workflows/e2e-functional.yml +++ b/.github/workflows/e2e-functional.yml @@ -29,6 +29,9 @@ on: required: false default: false +permissions: + contents: read + jobs: prepare-matrix: if: ${{ github.event_name == 'workflow_dispatch' && inputs.instance_details != '' }} diff --git a/.github/workflows/nightly-builds.yaml b/.github/workflows/nightly-builds.yaml index d63cb5f558e..5d04cbd7311 100644 --- a/.github/workflows/nightly-builds.yaml +++ b/.github/workflows/nightly-builds.yaml @@ -5,6 +5,9 @@ on: schedule: - cron: 0 4 * * 0-5 +permissions: + contents: read + jobs: tag-nightly-build: runs-on: ubuntu-22.04 diff --git a/.github/workflows/nightly-main.yml b/.github/workflows/nightly-main.yml index fe29e6d4ff3..e84c35b44d8 100644 --- a/.github/workflows/nightly-main.yml +++ b/.github/workflows/nightly-main.yml @@ -23,6 +23,9 @@ env: MM_WIN_INSTALLERS: 1 REFERENCE: ${{ inputs.tag }} +permissions: + contents: read + jobs: build-linux: runs-on: ubuntu-22.04 diff --git a/.github/workflows/nightly-rainforest.yml b/.github/workflows/nightly-rainforest.yml index c81e8cfd747..429abe06400 100644 --- a/.github/workflows/nightly-rainforest.yml +++ b/.github/workflows/nightly-rainforest.yml @@ -18,6 +18,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm MM_DESKTOP_BUILD_DISABLEGPU: true diff --git a/.github/workflows/release-mas.yaml b/.github/workflows/release-mas.yaml index 70a28831ac3..ec7a19949da 100644 --- a/.github/workflows/release-mas.yaml +++ b/.github/workflows/release-mas.yaml @@ -10,6 +10,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 28f037da976..8b7bcac8236 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,6 +10,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm MM_WIN_INSTALLERS: 1 diff --git a/.github/workflows/run-release-script.yml b/.github/workflows/run-release-script.yml index ce96d412845..c76de6fb548 100644 --- a/.github/workflows/run-release-script.yml +++ b/.github/workflows/run-release-script.yml @@ -27,6 +27,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TERM: xterm diff --git a/.github/workflows/snyk-sbom.yml b/.github/workflows/snyk-sbom.yml index a954877f091..dc7d3a19ed9 100644 --- a/.github/workflows/snyk-sbom.yml +++ b/.github/workflows/snyk-sbom.yml @@ -9,6 +9,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: sbom: permissions: