chore(ci): More workflow permission changes (#11394)

Josh-Walker-GM · web-flow · commit 9292ec58f524 · 2024-08-29T22:59:15.000+01:00
Working towards have the minimum permissions in our CI workflows.
diff --git a/.github/workflows/check-changelog.yml b/.github/workflows/check-changelog.yml
@@ -19,6 +19,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-changesets:
     name: 📝 Check changesets
diff --git a/.github/workflows/check-create-redwood-app.yml b/.github/workflows/check-create-redwood-app.yml
@@ -10,6 +10,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-create-redwood-app:
     name: Check create redwood app
diff --git a/.github/workflows/check-test-project-fixture.yml b/.github/workflows/check-test-project-fixture.yml
@@ -10,6 +10,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   detect-changes:
     if: github.repository == 'redwoodjs/redwood'
@@ -39,6 +41,8 @@ jobs:
     if: needs.detect-changes.outputs.code == 'true'
     name: Check test project fixture
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -26,13 +26,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  security-events: write
+permissions: {}
 
 jobs:
   analyze:
     name: 🔬 Analyze
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     strategy:
       fail-fast: false
