Resolve a rash of missing-permissions issues called out by CodeQL

greenc-FNAL · greenc-FNAL · commit 13e44d70f0cd · 2025-11-14T09:31:22.000-06:00
Shouldn't need package permissions for a public image

Try with top-level permissions block
diff --git a/.github/workflows/add-issues.yaml b/.github/workflows/add-issues.yaml
@@ -5,6 +5,8 @@ on:
     types:
       - opened
 
+permissions: {}
+
 jobs:
   add-to-project:
     name: Add issue to project
diff --git a/.github/workflows/clang-format-check.yaml b/.github/workflows/clang-format-check.yaml
@@ -1,6 +1,10 @@
 name: Clang-Format Check
 run-name: "${{ github.actor }} checking code format"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     branches: [ main ]
diff --git a/.github/workflows/clang-format-fix.yaml b/.github/workflows/clang-format-fix.yaml
@@ -7,8 +7,8 @@ on:
       - created
 
 permissions:
-   pull-requests: write
-   contents: write
+  pull-requests: write
+  contents: write
 
 jobs:
   check:
diff --git a/.github/workflows/clang-tidy-check.yaml b/.github/workflows/clang-tidy-check.yaml
@@ -1,6 +1,10 @@
 name: Clang-Tidy Check
 'run-name': "${{ github.actor }} running clang-tidy check"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     branches: [ main ]
diff --git a/.github/workflows/clang-tidy-fix.yaml b/.github/workflows/clang-tidy-fix.yaml
@@ -7,8 +7,8 @@ on:
       - created
 
 permissions:
-   pull-requests: write
-   contents: write
+  pull-requests: write
+  contents: write
 
 jobs:
   check:
diff --git a/.github/workflows/cmake-build.yaml b/.github/workflows/cmake-build.yaml
@@ -6,6 +6,10 @@ on:
     types: [created]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 env:
   BUILD_TYPE: Release
 
diff --git a/.github/workflows/cmake-format-check.yaml b/.github/workflows/cmake-format-check.yaml
@@ -1,6 +1,10 @@
 name: CMake Format Check
 run-name: "${{ github.actor }} running CMake format check"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     branches: [ main ]
diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml
@@ -7,8 +7,8 @@ on:
       - created
 
 permissions:
-   pull-requests: write
-   contents: write
+  pull-requests: write
+  contents: write
 
 jobs:
   check:
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -18,6 +18,10 @@ on:
         required: false
         default: 'ON'
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   detect-coverage-changes:
     runs-on: ubuntu-latest
