Skip to content

security: add permissions block to workflows#234

Merged
trentm merged 1 commit into
mainfrom
gh-oblt/add-permission-block-to-workflows
Jul 8, 2026
Merged

security: add permissions block to workflows#234
trentm merged 1 commit into
mainfrom
gh-oblt/add-permission-block-to-workflows

Conversation

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.

This change adds a top-level permissions block to all workflows in the .github/workflows directory.

permissions:
  contents: read

In some cases workflows might need more permissions than just contents: read.
Please checkout this branch and add the necessary permissions to the workflows.

If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions to fail.

If there are any questions, please reach out to the @elastic/observablt-ci

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot requested a review from a team July 8, 2026 07:50
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@trentm trentm merged commit 2b7b2a8 into main Jul 8, 2026
14 of 17 checks passed
@trentm trentm deleted the gh-oblt/add-permission-block-to-workflows branch July 8, 2026 17:26
types: [opened, ready_for_review, reopened, closed]

permissions:
contents: none

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewer: One of the points of this initiative is to not have empty top level permissions. This permission is useless itself, since the job already has the ones it needs defined, but it is here so we don't flag the workflow anymore with empty top block permissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants