[StepSecurity] ci: Harden GitHub Actions (#619)

step-security-bot · web-flow · commit 24f7c04be212 · 2026-03-04T15:19:19.000+01:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/deploy-javadoc.yml b/.github/workflows/deploy-javadoc.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   deploy-javadoc:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy-snapshots.yml b/.github/workflows/deploy-snapshots.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   deploy-snapshots:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,9 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy-release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
@@ -5,6 +5,9 @@ on:
     - cron: '0 2 * * 1' # Every Monday at 2am UTC
   push:
   pull_request:
+permissions:
+  contents: read
+
 jobs:
   updatecli:
     permissions:
