Reduce scopes granted to GITHUB_TOKEN in GitHub Actions workflows (#678)

edmorley · web-flow · commit 66dd01c961c4 · 2025-03-17T19:31:23.000-04:00
As part of security-hardening our GHA workflows, this reduces the permissions granted to the automatically set `GITHUB_TOKEN` env var in GitHub Actions workflows to no more than what is required by that workflow. See: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication GUS-W-18053749.
diff --git a/.github/workflows/update-lifecycle.yml b/.github/workflows/update-lifecycle.yml
@@ -6,6 +6,9 @@ on:
     - cron: '0 8 * * MON'
   workflow_dispatch:
 
+# Disable all GITHUB_TOKEN permissions, since the GitHub App token is used instead.
+permissions: {}
+
 jobs:
   update-lifecycle:
     name: Update lifecycle
