fix: reduce token permissions in github workflows

edisile · edisile · commit 8b7193a355ba · 2025-09-29T14:53:22.000+02:00
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -17,6 +17,8 @@ on:
 jobs:
   setup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     environment: ${{ github.event.inputs.environment != '' && github.event.inputs.environment || (github.ref == 'refs/heads/main' && 'Production' || 'Staging') }}
     outputs:
       charm_name: ${{ steps.setup-vars.outputs.charm_name }}
@@ -38,6 +40,9 @@ jobs:
     needs: setup
     name: Deploy
     uses: canonical/webteam-devops/.github/workflows/deploy.yaml@main
+    permissions:
+      contents: read
+      deployments: write
     with:
       environment: ${{ needs.setup.outputs.environment }}
       charm_name: ${{ needs.setup.outputs.charm_name }}
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -76,6 +76,8 @@ jobs:
 
   pack-rock:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
