From c30e0d59ee2d0977b20fb3190a44d9908701e21a Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 17 Oct 2025 13:30:03 -0700 Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby --- .github/workflows/ci-prb.yml | 2 ++ .github/workflows/ci-release-docs.yml | 8 +++++--- .github/workflows/ci-release.yml | 2 ++ .github/workflows/ci-snapshot.yml | 2 ++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-prb.yml b/.github/workflows/ci-prb.yml index 4feb917f..8ff50a1b 100644 --- a/.github/workflows/ci-prb.yml +++ b/.github/workflows/ci-prb.yml @@ -1,4 +1,6 @@ name: PR Builder +permissions: + contents: read on: pull_request: branches: [ main ] diff --git a/.github/workflows/ci-release-docs.yml b/.github/workflows/ci-release-docs.yml index 2f80b951..382c6c9c 100644 --- a/.github/workflows/ci-release-docs.yml +++ b/.github/workflows/ci-release-docs.yml @@ -1,10 +1,9 @@ name: Doc Builder +permissions: + contents: read on: release: types: [published] -permissions: - pages: write - id-token: write jobs: build: name: Python Doc Builder @@ -29,6 +28,9 @@ jobs: with: path: _build deploy: + permissions: + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 7d6f4e69..ee4efc45 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -1,4 +1,6 @@ name: Release Builder +permissions: + contents: read on: release: types: [published] diff --git a/.github/workflows/ci-snapshot.yml b/.github/workflows/ci-snapshot.yml index a12311e4..f801cbf4 100644 --- a/.github/workflows/ci-snapshot.yml +++ b/.github/workflows/ci-snapshot.yml @@ -1,4 +1,6 @@ name: Snapshot Builder +permissions: + contents: read on: release: types: [published]