Add permissions tofiles-changed jobs (#36142)

Followup to https://github.com/go-gitea/gitea/pull/36140. `files-changed` is a job that imports another workflow via `uses` statement but CodeQL still complains about lack of permissions on these jobs, so add it. This will fix the remaining [3 CodeQL issues](https://github.com/go-gitea/gitea/security/code-scanning?query=is%3Aopen+branch%3Amain+permissions).
2025-12-13 08:20:25 +01:00 · 2025-12-12 18:38:59 +01:00
parent 4c06c98dda
commit 3e57ba5b36
3 changed files with 6 additions and 0 deletions
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read

  lint-backend:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read

  test-pgsql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read

  container:
    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'