harden docker workflow permissions

2026-05-09 04:36:31 +08:00 · 2026-03-28 07:10:55 +08:00 · 2026-03-28 07:10:55 +08:00 · e40e0aaed6
commit e40e0aaed6
parent e89e83243a
2 changed files with 6 additions and 0 deletions
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@ -12,6 +12,9 @@ on:
    tags:
      - "*"

+permissions:
+  contents: read
+
 concurrency:
  group: build-push-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@ -8,6 +8,9 @@ on:
      - api/Dockerfile
      - web/Dockerfile

+permissions:
+  contents: read
+
 concurrency:
  group: docker-build-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true