From 20c710bf60dc03b533b1f82d3b820f6129ea7b99 Mon Sep 17 00:00:00 2001 From: soji-kainos-nhs-temp Date: Thu, 19 Mar 2026 13:43:50 +0000 Subject: [PATCH] NPT-959 Ensure Top Level permissions in workflows are not set to write-all --- .github/workflows/metadata.yaml | 2 ++ .github/workflows/quality-checks.yaml | 2 ++ .github/workflows/stage-1-commit.yaml | 2 ++ .github/workflows/stage-2-test.yaml | 2 ++ .github/workflows/stage-4-acceptance.yaml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/.github/workflows/metadata.yaml b/.github/workflows/metadata.yaml index c44cb82b..6f4d849d 100644 --- a/.github/workflows/metadata.yaml +++ b/.github/workflows/metadata.yaml @@ -1,5 +1,7 @@ name: Metadata Workflow +permissions: + contents: read on: workflow_call: inputs: diff --git a/.github/workflows/quality-checks.yaml b/.github/workflows/quality-checks.yaml index 219e8a4e..3ea1630d 100644 --- a/.github/workflows/quality-checks.yaml +++ b/.github/workflows/quality-checks.yaml @@ -1,5 +1,7 @@ name: Code Quality Checks Workflow +permissions: + contents: read on: workflow_call: inputs: diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index cc7a0554..7c79df8b 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -1,5 +1,7 @@ name: "Commit stage" +permissions: + contents: read on: workflow_call: inputs: diff --git a/.github/workflows/stage-2-test.yaml b/.github/workflows/stage-2-test.yaml index e51b0cb6..17a2aee2 100644 --- a/.github/workflows/stage-2-test.yaml +++ b/.github/workflows/stage-2-test.yaml @@ -1,5 +1,7 @@ name: "Test stage" +permissions: + contents: read on: workflow_call: inputs: diff --git a/.github/workflows/stage-4-acceptance.yaml b/.github/workflows/stage-4-acceptance.yaml index dd5193e1..c29bfff0 100644 --- a/.github/workflows/stage-4-acceptance.yaml +++ b/.github/workflows/stage-4-acceptance.yaml @@ -1,5 +1,7 @@ name: "Acceptance stage" +permissions: + contents: read on: workflow_call: inputs: