From d9e7264a817d4b226e3ca01d89c37129350a177f Mon Sep 17 00:00:00 2001
From: ZePan110 <ze.pan@intel.com>
Date: Tue, 20 May 2025 15:17:17 +0800
Subject: [PATCH] Fix

Signed-off-by: ZePan110 <ze.pan@intel.com>
---
 .github/workflows/_gmc-e2e.yml                               | 3 ++-
 .github/workflows/_gmc-workflow.yml                          | 3 ++-
 .github/workflows/dockerhub-description.yml                  | 2 ++
 .github/workflows/manual-docker-clean.yml                    | 2 ++
 .github/workflows/manual-freeze-tag.yml                      | 3 ++-
 .github/workflows/manual-image-build.yml                     | 2 ++
 .github/workflows/manual-reset-local-registry.yml            | 2 ++
 .github/workflows/mix-trellix.yml                            | 3 ++-
 .github/workflows/nightly-docker-build-publish.yml           | 3 ++-
 .github/workflows/pr-chart-e2e.yml                           | 3 ++-
 .github/workflows/pr-check-duplicated-image.yml              | 3 ++-
 .github/workflows/pr-code-scan.yml                           | 3 ++-
 .github/workflows/pr-docker-compose-e2e.yml                  | 3 +++
 .github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml | 3 ++-
 .github/workflows/pr-link-path-scan.yml                      | 3 +++
 .github/workflows/push-image-build.yml                       | 3 +++
 .github/workflows/push-images-path-detection.yml             | 4 +++-
 .github/workflows/push-infra-issue-creation.yml              | 4 ++++
 .github/workflows/weekly-example-test.yml                    | 3 +++
 19 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/_gmc-e2e.yml b/.github/workflows/_gmc-e2e.yml
index 331eea0c8..ba50e8b95 100644
--- a/.github/workflows/_gmc-e2e.yml
+++ b/.github/workflows/_gmc-e2e.yml
@@ -3,7 +3,8 @@
 
 # This workflow will only test GMC pipeline and will not install GMC any more
 name: Single GMC E2e Test For CD Workflow Call
-
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_gmc-workflow.yml b/.github/workflows/_gmc-workflow.yml
index 77c01177a..32ff08266 100644
--- a/.github/workflows/_gmc-workflow.yml
+++ b/.github/workflows/_gmc-workflow.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build and deploy GMC system on call and manual
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
index 4dcfee1f3..296f464f4 100644
--- a/.github/workflows/dockerhub-description.yml
+++ b/.github/workflows/dockerhub-description.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Update Docker Hub Description
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * 0"
diff --git a/.github/workflows/manual-docker-clean.yml b/.github/workflows/manual-docker-clean.yml
index 25cf22872..886cf2723 100644
--- a/.github/workflows/manual-docker-clean.yml
+++ b/.github/workflows/manual-docker-clean.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up container on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-freeze-tag.yml b/.github/workflows/manual-freeze-tag.yml
index 6dd55c903..88c1bb6c8 100644
--- a/.github/workflows/manual-freeze-tag.yml
+++ b/.github/workflows/manual-freeze-tag.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Freeze OPEA images release tag
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-image-build.yml b/.github/workflows/manual-image-build.yml
index 92da9c223..34bd04f3e 100644
--- a/.github/workflows/manual-image-build.yml
+++ b/.github/workflows/manual-image-build.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build specific images on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-reset-local-registry.yml b/.github/workflows/manual-reset-local-registry.yml
index de9cfd78e..92957c0d4 100644
--- a/.github/workflows/manual-reset-local-registry.yml
+++ b/.github/workflows/manual-reset-local-registry.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up Local Registry on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/mix-trellix.yml b/.github/workflows/mix-trellix.yml
index 8779f3b9a..65f18e6db 100644
--- a/.github/workflows/mix-trellix.yml
+++ b/.github/workflows/mix-trellix.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Trellix Command Line Scanner
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   schedule:
diff --git a/.github/workflows/nightly-docker-build-publish.yml b/.github/workflows/nightly-docker-build-publish.yml
index adac4b6d1..4daf7b70a 100644
--- a/.github/workflows/nightly-docker-build-publish.yml
+++ b/.github/workflows/nightly-docker-build-publish.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Nightly build/publish latest docker images
-
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "30 14 * * 1-5" # UTC time
diff --git a/.github/workflows/pr-chart-e2e.yml b/.github/workflows/pr-chart-e2e.yml
index 876960e7d..3990e5fce 100644
--- a/.github/workflows/pr-chart-e2e.yml
+++ b/.github/workflows/pr-chart-e2e.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: E2E Test with Helm Charts
-
+permissions:
+  contents: read
 on:
   pull_request_target:
     branches: [main]
diff --git a/.github/workflows/pr-check-duplicated-image.yml b/.github/workflows/pr-check-duplicated-image.yml
index 0cdba415a..2922b8f4f 100644
--- a/.github/workflows/pr-check-duplicated-image.yml
+++ b/.github/workflows/pr-check-duplicated-image.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Check Duplicated Images
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml
index 7accb94ea..fb3ca7c8c 100644
--- a/.github/workflows/pr-code-scan.yml
+++ b/.github/workflows/pr-code-scan.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Code Scan
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-docker-compose-e2e.yml b/.github/workflows/pr-docker-compose-e2e.yml
index a7604f29a..d7aba56bb 100644
--- a/.github/workflows/pr-docker-compose-e2e.yml
+++ b/.github/workflows/pr-docker-compose-e2e.yml
@@ -3,6 +3,9 @@
 
 name: E2E test with docker compose
 
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     branches: ["main", "*rc"]
diff --git a/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml b/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
index 3b8be2613..2775c2ae1 100644
--- a/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
+++ b/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Compose file and dockerfile path checking
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-link-path-scan.yml b/.github/workflows/pr-link-path-scan.yml
index 3b147af24..d2af0c9dc 100644
--- a/.github/workflows/pr-link-path-scan.yml
+++ b/.github/workflows/pr-link-path-scan.yml
@@ -3,6 +3,9 @@
 
 name: Check hyperlinks and relative path validity
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/push-image-build.yml b/.github/workflows/push-image-build.yml
index 0cbbb970d..e22d7c295 100644
--- a/.github/workflows/push-image-build.yml
+++ b/.github/workflows/push-image-build.yml
@@ -3,6 +3,9 @@
 # Test
 name: Build latest images on push event
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ 'main' ]
diff --git a/.github/workflows/push-images-path-detection.yml b/.github/workflows/push-images-path-detection.yml
index 299ee4d18..9edfad267 100644
--- a/.github/workflows/push-images-path-detection.yml
+++ b/.github/workflows/push-images-path-detection.yml
@@ -3,10 +3,12 @@
 
 name: Check the validity of links in docker_images_list.
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
-    types: [opened, reopened, ready_for_review, synchronize]
 
 jobs:
   check-dockerfile-paths:
diff --git a/.github/workflows/push-infra-issue-creation.yml b/.github/workflows/push-infra-issue-creation.yml
index 132f64d1a..2dd2de23c 100644
--- a/.github/workflows/push-infra-issue-creation.yml
+++ b/.github/workflows/push-infra-issue-creation.yml
@@ -8,6 +8,10 @@ on:
       - "**/docker_compose/**/compose*.yaml"
 
 name: Create an issue to GenAIInfra on push
+
+permissions:
+  contents: read
+
 jobs:
   job1:
     name: Create issue
diff --git a/.github/workflows/weekly-example-test.yml b/.github/workflows/weekly-example-test.yml
index 4b8391a1d..c3e89fa9f 100644
--- a/.github/workflows/weekly-example-test.yml
+++ b/.github/workflows/weekly-example-test.yml
@@ -3,6 +3,9 @@
 
 name: Weekly test all examples on multiple HWs
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "30 2 * * 6" # UTC time