From 388c935e7ca1df4ac3775e2fff1d5d29dc8fe8c4 Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Thu, 10 Apr 2025 16:07:40 +1200
Subject: [PATCH] ci: explicit permission in actions

---
 .github/workflows/ci.yml            | 3 +++
 .github/workflows/deploy-check.yml  | 5 ++++-
 .github/workflows/install.yml       | 3 +++
 .github/workflows/mirror-image.yml  | 3 +++
 .github/workflows/mirror.yml        | 3 +++
 .github/workflows/pg-prove.yml      | 3 +++
 .github/workflows/publish-migra.yml | 9 ++++++---
 .github/workflows/release-beta.yml  | 3 +++
 .github/workflows/release.yml       | 4 ++++
 .github/workflows/tag-npm.yml       | 3 +++
 10 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e7cf2b30b..02fc04898 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/deploy-check.yml b/.github/workflows/deploy-check.yml
index 44c2806ec..3715958a0 100644
--- a/.github/workflows/deploy-check.yml
+++ b/.github/workflows/deploy-check.yml
@@ -1,7 +1,7 @@
 name: Check Deploy
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - reopened
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions: 
+  contents: read
+
 jobs:
   check:
     if: github.head_ref != 'develop'
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
index e9bcd30b1..85640211b 100644
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -14,6 +14,9 @@ on:
       - 'package.json'
       - 'scripts/**'
 
+permissions:
+  contents: write
+
 jobs:
   pack:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mirror-image.yml b/.github/workflows/mirror-image.yml
index fb0bfd5db..09365f5e0 100644
--- a/.github/workflows/mirror-image.yml
+++ b/.github/workflows/mirror-image.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 0eb46d868..126949ac0 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -19,6 +19,9 @@ on:
       - submitted
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   setup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pg-prove.yml b/.github/workflows/pg-prove.yml
index 9844d7e61..052ac6583 100644
--- a/.github/workflows/pg-prove.yml
+++ b/.github/workflows/pg-prove.yml
@@ -3,6 +3,9 @@ name: Publish pg_prove
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   settings:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-migra.yml b/.github/workflows/publish-migra.yml
index e3db68cb6..b4a2625c5 100644
--- a/.github/workflows/publish-migra.yml
+++ b/.github/workflows/publish-migra.yml
@@ -3,6 +3,9 @@ name: Publish migra
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   settings:
     runs-on: ubuntu-latest
@@ -70,9 +73,9 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Merge multi-arch manifests
         run: |
-          docker buildx imagetools create -t ${{ needs.settings.outputs.image_tag }} \
-          ${{ needs.settings.outputs.image_tag }}_amd64 \
-          ${{ needs.settings.outputs.image_tag }}_arm64
+          docker buildx imagetools create -t "${{ needs.settings.outputs.image_tag }}" \
+          "${{ needs.settings.outputs.image_tag }}_amd64" \
+          "${{ needs.settings.outputs.image_tag }}_arm64"
 
   publish:
     needs:
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
index bc2601c0d..e658a7614 100644
--- a/.github/workflows/release-beta.yml
+++ b/.github/workflows/release-beta.yml
@@ -6,6 +6,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: semantic-release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8ef8b4383..369f0de89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - main
   workflow_call:
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   settings:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml
index 9eda44cba..578756261 100644
--- a/.github/workflows/tag-npm.yml
+++ b/.github/workflows/tag-npm.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   tag:
     name: Move latest tag