fix(lint): checkov findings

2026-01-26 11:23:57 +00:00 · 2024-06-19 09:59:15 +03:00
parent aae7a09cd5
commit 130718ef87
8 changed files with 43 additions and 8 deletions
--- a/.github/workflows/composer-install.yml
+++ b/.github/workflows/composer-install.yml
@@ -8,6 +8,10 @@ on:
      - "composer.json"
      - "composer.lock"

+permissions:
+  contents: write
+  statuses: write
+
 jobs:
  ComposerInstall:
    runs-on: ubuntu-latest
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -2,10 +2,17 @@
 # Compress images on demand (workflow_dispatch), and at 11pm every Sunday (schedule).
 # Open a Pull Request if any images can be compressed.
 name: Compress Images on Demand
+
 on:
  workflow_dispatch:
  schedule:
    - cron: "00 23 * * 0"
+
+permissions:
+  contents: write
+  statuses: write
+  pull-requests: write
+
 jobs:
  CompressOnDemandOrSchedule:
    name: calibreapp/image-actions
--- a/.github/workflows/laravel-phpunit.yml
+++ b/.github/workflows/laravel-phpunit.yml
@@ -7,6 +7,10 @@ on:
  pull_request:
    branches: [main]

+permissions:
+  contents: write
+  statuses: write
+
 jobs:
  laravel-tests:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -1,5 +1,6 @@
 ---
 name: Compress Images
+
 on:
  pull_request:
    # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed.
@@ -9,6 +10,12 @@ on:
      - "**.jpeg"
      - "**.png"
      - "**.webp"
+
+permissions:
+  contents: write
+  statuses: write
+  pull-requests: write
+
 jobs:
  CompressInPR:
    # Only run on Pull Requests within the same repository, and not from forks.
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -24,6 +24,14 @@ on:
  pull_request:
    branches: [master, main]

+############################################
+# Grant status permission for MULTI_STATUS #
+############################################
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 ###############
 # Set the Job #
 ###############
@@ -34,14 +42,6 @@ jobs:
    # Set the agent to run on
    runs-on: ubuntu-latest

-    ############################################
-    # Grant status permission for MULTI_STATUS #
-    ############################################
-    permissions:
-      contents: read
-      packages: read
-      statuses: write
-
    ##################
    # Load all steps #
    ##################
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,6 +4,10 @@ name: Release Drafter
 on:
  workflow_call:

+permissions:
+  contents: write
+  statuses: write
+
 jobs:
  update_release_draft:
    name: ✏️ Draft release
--- a/.github/workflows/reviewdog-linters.yml
+++ b/.github/workflows/reviewdog-linters.yml
@@ -3,6 +3,11 @@ name: Reviewdog Linters

 on: [push]

+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
  linters:
    name: Linters
--- a/.github/workflows/sync-labels-to-own-projects.yml
+++ b/.github/workflows/sync-labels-to-own-projects.yml
@@ -12,6 +12,10 @@ on:
  schedule:
    - cron: "0 0 * * *" # Every day at midnight

+permissions:
+  contents: write
+  statuses: write
+
 jobs:
  sync-labels:
    runs-on: ubuntu-latest