From 17f45d091ae2a820e6df0cb4455584aeb52c8723 Mon Sep 17 00:00:00 2001 From: Benoit Marty Date: Thu, 5 Mar 2026 15:34:16 +0100 Subject: [PATCH] Remove all permission by default. --- .github/workflows/build.yml | 2 ++ .github/workflows/build_enterprise.yml | 2 ++ .github/workflows/danger.yml | 2 ++ .github/workflows/fork-pr-notice.yml | 2 ++ .github/workflows/generate_github_pages.yml | 2 ++ .github/workflows/gradle-wrapper-update.yml | 2 ++ .github/workflows/maestro-local.yml | 2 ++ .github/workflows/nightly.yml | 2 ++ .github/workflows/nightlyReports.yml | 2 ++ .github/workflows/post-release.yml | 2 ++ .github/workflows/pull_request.yml | 2 ++ .github/workflows/quality.yml | 2 ++ .github/workflows/recordScreenshots.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/sonar.yml | 2 ++ .github/workflows/stale-issues.yml | 2 ++ .github/workflows/sync-localazy.yml | 2 ++ .github/workflows/sync-sas-strings.yml | 2 ++ .github/workflows/tests.yml | 2 ++ .github/workflows/triage-incoming.yml | 2 ++ .github/workflows/triage-labelled.yml | 2 ++ .github/workflows/validate-lfs.yml | 2 ++ 22 files changed, 44 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27466eb057..6239d2ce31 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,8 @@ on: push: branches: [ develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/build_enterprise.yml b/.github/workflows/build_enterprise.yml index 8e9eb10fc9..47010b2282 100644 --- a/.github/workflows/build_enterprise.yml +++ b/.github/workflows/build_enterprise.yml @@ -7,6 +7,8 @@ on: push: branches: [ develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index cba21bf1d2..210514c378 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -2,6 +2,8 @@ name: Danger CI on: [pull_request, merge_group] +permissions: {} + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/fork-pr-notice.yml b/.github/workflows/fork-pr-notice.yml index ffa40f4f79..246cf371d8 100644 --- a/.github/workflows/fork-pr-notice.yml +++ b/.github/workflows/fork-pr-notice.yml @@ -7,6 +7,8 @@ on: - opened - reopened +permissions: {} + jobs: welcome: runs-on: ubuntu-latest diff --git a/.github/workflows/generate_github_pages.yml b/.github/workflows/generate_github_pages.yml index 7f6107a5e4..f7a9953b0d 100644 --- a/.github/workflows/generate_github_pages.yml +++ b/.github/workflows/generate_github_pages.yml @@ -5,6 +5,8 @@ on: # At 00:00 on every Tuesday UTC - cron: '0 0 * * 2' +permissions: {} + jobs: generate-github-pages: runs-on: ubuntu-latest diff --git a/.github/workflows/gradle-wrapper-update.yml b/.github/workflows/gradle-wrapper-update.yml index 7637af7e62..66078b7b4b 100644 --- a/.github/workflows/gradle-wrapper-update.yml +++ b/.github/workflows/gradle-wrapper-update.yml @@ -5,6 +5,8 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} + jobs: update-gradle-wrapper: runs-on: ubuntu-latest diff --git a/.github/workflows/maestro-local.yml b/.github/workflows/maestro-local.yml index 0ccebf43ae..b1aa44689a 100644 --- a/.github/workflows/maestro-local.yml +++ b/.github/workflows/maestro-local.yml @@ -5,6 +5,8 @@ on: workflow_dispatch: pull_request: +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 3b4957d63b..31a8806a85 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,6 +6,8 @@ on: # Every nights at 4 - cron: "0 4 * * *" +permissions: {} + env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g CI_GRADLE_ARG_PROPERTIES: --stacktrace --no-daemon -Dsonar.gradle.skipCompile=true --no-configuration-cache diff --git a/.github/workflows/nightlyReports.yml b/.github/workflows/nightlyReports.yml index 11a0f91efd..2fbac726fe 100644 --- a/.github/workflows/nightlyReports.yml +++ b/.github/workflows/nightlyReports.yml @@ -6,6 +6,8 @@ on: # Every nights at 5 - cron: "0 5 * * *" +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index 1394c0bc96..5349a678bc 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -5,6 +5,8 @@ on: tags: - 'v*' +permissions: {} + jobs: post-release: runs-on: ubuntu-latest diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 57a42a8f0c..89dbdfa6cb 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -7,6 +7,8 @@ on: ELEMENT_BOT_TOKEN: required: true +permissions: {} + jobs: prevent-blocked: name: Prevent blocked diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 09ec9b8c48..6ac2636bfb 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -7,6 +7,8 @@ on: push: branches: [ main, develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/recordScreenshots.yml b/.github/workflows/recordScreenshots.yml index c73dd14a36..c6685ef9fd 100644 --- a/.github/workflows/recordScreenshots.yml +++ b/.github/workflows/recordScreenshots.yml @@ -5,6 +5,8 @@ on: pull_request: types: [ labeled ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g -Dsonar.gradle.skipCompile=true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2a0f7f11f6..fb52d3fa31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,8 @@ on: push: branches: [ main ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index ec61759711..8130cd02ed 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -7,6 +7,8 @@ on: push: branches: [ main, develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dkotlin.daemon.jvm.options=-Xmx4g diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 08ddb9795a..1958e80083 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -4,6 +4,8 @@ on: schedule: - cron: "30 1 * * *" +permissions: {} + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/sync-localazy.yml b/.github/workflows/sync-localazy.yml index 77bdf8338f..914bf4b35c 100644 --- a/.github/workflows/sync-localazy.yml +++ b/.github/workflows/sync-localazy.yml @@ -5,6 +5,8 @@ on: # At 00:00 on every Monday UTC - cron: '0 0 * * 1' +permissions: {} + jobs: sync-localazy: runs-on: ubuntu-latest diff --git a/.github/workflows/sync-sas-strings.yml b/.github/workflows/sync-sas-strings.yml index e283a6d11e..7f9dbdee0d 100644 --- a/.github/workflows/sync-sas-strings.yml +++ b/.github/workflows/sync-sas-strings.yml @@ -5,6 +5,8 @@ on: # At 00:00 on every Monday UTC - cron: '0 0 * * 1' +permissions: {} + jobs: sync-sas-strings: runs-on: ubuntu-latest diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b469f725e2..3cbacd759c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,6 +7,8 @@ on: push: branches: [ main, develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx7g -XX:MaxMetaspaceSize=512m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError" -Dkotlin.daemon.jvm.options=-Xmx2g -XX:+UseG1GC diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index 2a9cec5957..8e8d03c9c4 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,6 +4,8 @@ on: issues: types: [ opened ] +permissions: {} + jobs: triage-new-issues: runs-on: ubuntu-latest diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index f5e1981a38..3ec20f332b 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -4,6 +4,8 @@ on: issues: types: [labeled] +permissions: {} + jobs: move_element_x_issues: name: ElementX issues to ElementX project board diff --git a/.github/workflows/validate-lfs.yml b/.github/workflows/validate-lfs.yml index 3246cbd1a8..3d35a5cba2 100644 --- a/.github/workflows/validate-lfs.yml +++ b/.github/workflows/validate-lfs.yml @@ -2,6 +2,8 @@ name: Validate Git LFS on: [pull_request, merge_group] +permissions: {} + jobs: build: runs-on: ubuntu-latest