fix: add least-privilege token permissions to GitHub workflows (OSSF)

Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/1b5db5e2-af78-4289-a6e0-2e972fc68ef1 Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
2026-06-29 08:38:48 +00:00 · 2026-04-13 08:56:13 +00:00 · 2026-04-13 08:56:13 +00:00 · 2cbd0b3350
commit 2cbd0b3350
parent e2feebb221
4 changed files with 13 additions and 0 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -20,6 +20,8 @@ on:
  schedule:
    - cron: '24 3 * * 1'

+permissions: {}
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@ -7,12 +7,17 @@ on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

+permissions: {}
+
 jobs:
  publishDocker:
    environment: dockerhub
    env:
      IMAGE_NAME: mikefarah/yq
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -5,6 +5,8 @@ on:
      - 'v4.*'
      - 'draft-*'

+permissions: {}
+
 jobs:
  publishGitRelease:
    runs-on: ubuntu-latest
--- a/.github/workflows/snap-release.yml
+++ b/.github/workflows/snap-release.yml
@ -7,10 +7,14 @@ on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

+permissions: {}
+
 jobs:
    buildSnap:
      environment: snap
      runs-on: ubuntu-latest
+      permissions:
+        contents: read
      steps:
        - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        - uses: snapcore/action-build@3bdaa03e1ba6bf59a65f84a751d943d549a54e79 # v1.3.0