CI: Consistently add a top-level `permissions` definition to GHA workflows

This makes it easy to verify the permissions and to apply them to all jobs
within a given workflow.

diff --git a/.github/workflows/aws-lc-fips.yml b/.github/workflows/aws-lc-fips.yml
index cb758c6a3e634b32cb1d3df9a47459fa7c0eaf33..b7a5dbd3a0fdfe26c2d29248bbc2dee7efaad2ba 100644 (file)
--- a/.github/workflows/aws-lc-fips.yml
+++ b/.github/workflows/aws-lc-fips.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml

diff --git a/.github/workflows/aws-lc.yml b/.github/workflows/aws-lc.yml
index 1e41257127e52dc84cb64d12c6611a9fece07080..bed888b91491f514bf5a2459fdb9288d2913f815 100644 (file)
--- a/.github/workflows/aws-lc.yml
+++ b/.github/workflows/aws-lc.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml

diff --git a/.github/workflows/illumos.yml b/.github/workflows/illumos.yml
index 18284e4159e8d6f7503a3c3f68134c2de70f67f6..7105e745990f12445e8594043823119c6470c034 100644 (file)
--- a/.github/workflows/illumos.yml
+++ b/.github/workflows/illumos.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5

diff --git a/.github/workflows/netbsd.yml b/.github/workflows/netbsd.yml
index 1c31aa9686b4fd06916f1f19e0879b8943c24685..834011eaf545c92a39ed8ce5d396908dbfe03241 100644 (file)
--- a/.github/workflows/netbsd.yml
+++ b/.github/workflows/netbsd.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5

diff --git a/.github/workflows/quic-interop-aws-lc.yml b/.github/workflows/quic-interop-aws-lc.yml
index 718ebbe8c9f7f164b8927741d3439a5907a2c62f..a6e82788d07075e873e3b19048afde87cdfb41b4 100644 (file)
--- a/.github/workflows/quic-interop-aws-lc.yml
+++ b/.github/workflows/quic-interop-aws-lc.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5

diff --git a/.github/workflows/quic-interop-libressl.yml b/.github/workflows/quic-interop-libressl.yml
index 6c5d23d9898f1aaf2fb3a97fd078581e3aa9a16e..c40564709dd8869c86ef407ab14baa89b8fc6e07 100644 (file)
--- a/.github/workflows/quic-interop-libressl.yml
+++ b/.github/workflows/quic-interop-libressl.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5