From 5a6ac2fd0f53b3c0c68c1915cc318f0c02e1a268 Mon Sep 17 00:00:00 2001
From: Cody Bruno <cody@turbot.com>
Date: Wed, 25 Mar 2026 15:11:32 -0400
Subject: [PATCH] Harden GitHub Actions: set explicit permissions

---
 .github/workflows/add-issue-to-project.yml | 3 +++
 .github/workflows/golangci-lint.yml        | 3 +++
 .github/workflows/registry-publish.yml     | 4 ++++
 .github/workflows/stale.yml                | 5 +++++
 .github/workflows/steampipe-anywhere.yml   | 3 +++
 .github/workflows/sync-labels.yml          | 4 ++++
 6 files changed, 22 insertions(+)

diff --git a/.github/workflows/add-issue-to-project.yml b/.github/workflows/add-issue-to-project.yml
index a86bab6..d950ac8 100644
--- a/.github/workflows/add-issue-to-project.yml
+++ b/.github/workflows/add-issue-to-project.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     uses: turbot/steampipe-workflows/.github/workflows/assign-issue-to-project.yml@main
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 89d6997..dfbe913 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   golangci_lint_workflow:
     uses: turbot/steampipe-workflows/.github/workflows/golangci-lint.yml@main
diff --git a/.github/workflows/registry-publish.yml b/.github/workflows/registry-publish.yml
index 08f3d59..54efbec 100644
--- a/.github/workflows/registry-publish.yml
+++ b/.github/workflows/registry-publish.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   registry_publish_workflow_ghcr:
     uses: turbot/steampipe-workflows/.github/workflows/registry-publish-ghcr.yml@main
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 6a30f3b..e412fae 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -10,6 +10,11 @@ on:
         default: "false"
         type: string
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale_workflow:
     uses: turbot/steampipe-workflows/.github/workflows/stale.yml@main
diff --git a/.github/workflows/steampipe-anywhere.yml b/.github/workflows/steampipe-anywhere.yml
index 05092d6..7221bd7 100644
--- a/.github/workflows/steampipe-anywhere.yml
+++ b/.github/workflows/steampipe-anywhere.yml
@@ -6,6 +6,9 @@ on:
       - 'v*'
         
 
+permissions:
+  contents: write
+
 jobs:
   anywhere_publish_workflow:
     uses: turbot/steampipe-workflows/.github/workflows/steampipe-anywhere.yml@main
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 6a2e42a..0c3f35b 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -4,6 +4,10 @@ on:
     - cron: "30 22 * * 1"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   sync_labels_workflow:
     uses: turbot/steampipe-workflows/.github/workflows/sync-labels.yml@main