Set top level token permissions (#16744)
Sets top level to `contents:read` where sufficient.
diff --git a/.github/workflows/benchmark_compilation.yml b/.github/workflows/benchmark_compilation.yml
index 32975c6..c4768c4 100644
--- a/.github/workflows/benchmark_compilation.yml
+++ b/.github/workflows/benchmark_compilation.yml
@@ -41,6 +41,9 @@
GCS path to the uploaded compilation benchmark results.
value: ${{ jobs.compilation_benchmarks.outputs.compile-stats-results-gcs-artifact }}
+permissions:
+ contents: read
+
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
# instead of the outputs of setup because it contains the run attempt and we
diff --git a/.github/workflows/benchmark_execution.yml b/.github/workflows/benchmark_execution.yml
index d97150a..6ad6595 100644
--- a/.github/workflows/benchmark_execution.yml
+++ b/.github/workflows/benchmark_execution.yml
@@ -40,6 +40,9 @@
Empty if no benchmark runs.
value: ${{ jobs.run_benchmarks.outputs.benchmark-results-gcs-artifact-dir }}
+permissions:
+ contents: read
+
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
# instead of the outputs of setup because it contains the run attempt and we
diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
index 00d1e9c..cd390dd 100644
--- a/.github/workflows/build_all.yml
+++ b/.github/workflows/build_all.yml
@@ -32,6 +32,9 @@
description: GCS path to the uploaded install archive.
value: ${{ jobs.build_all.outputs.install-dir-gcs-artifact }}
+permissions:
+ contents: read
+
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
# instead of the outputs of setup because it contains the run attempt and we
diff --git a/.github/workflows/build_and_test_android.yml b/.github/workflows/build_and_test_android.yml
index 3539cb7..d36ce25 100644
--- a/.github/workflows/build_and_test_android.yml
+++ b/.github/workflows/build_and_test_android.yml
@@ -35,6 +35,9 @@
required: true
type: string
+permissions:
+ contents: read
+
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
# instead of the outputs of setup because it contains the run attempt and we
diff --git a/.github/workflows/build_benchmark_tools.yml b/.github/workflows/build_benchmark_tools.yml
index 546abda..5044eba 100644
--- a/.github/workflows/build_benchmark_tools.yml
+++ b/.github/workflows/build_benchmark_tools.yml
@@ -34,6 +34,9 @@
GCS path to benchmark tools archive.
value: ${{ jobs.build_benchmark_tools.outputs.benchmark-tools-gcs-artifact-dir }}
+permissions:
+ contents: read
+
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
# instead of the outputs of setup because it contains the run attempt and we
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 899a426..bb57ae6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,6 +10,9 @@
on: [pull_request]
+permissions:
+ contents: read
+
jobs:
bazel_to_cmake:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/samples.yml b/.github/workflows/samples.yml
index 3db84e9..1448188 100644
--- a/.github/workflows/samples.yml
+++ b/.github/workflows/samples.yml
@@ -15,6 +15,9 @@
- cron: "5 4 * * 1-5"
workflow_dispatch:
+permissions:
+ contents: read
+
concurrency:
# A PR number if a pull request and otherwise the commit hash. This cancels
# queued and in-progress runs for the same PR (presubmit) or commit
diff --git a/.github/workflows/setup.yml b/.github/workflows/setup.yml
index 85ead03..e442e03 100644
--- a/.github/workflows/setup.yml
+++ b/.github/workflows/setup.yml
@@ -38,6 +38,8 @@
A comma-separated string of benchmarks to run.
value: ${{ jobs.setup.outputs.benchmark-presets }}
+permissions:
+ contents: read
env:
# This duplicates the variable from ci.yml. The variable needs to be in env
