CI: Restrict default permissions

tacaswell · tacaswell · commit 74a27f8996e7 · 2025-07-17T23:14:54.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,4 +1,6 @@
 name: Lint
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
@@ -1,4 +1,6 @@
 name: Lint
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
@@ -1,5 +1,7 @@
 # heavily based on https://github.com/jupyterlab/jupyterlab-git/blob/v0.22.2/.github/workflows/publish.yml
 name: Publish Package
+permissions:
+  contents: read
 
 on:
   release:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/test.yml b/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
@@ -1,4 +1,6 @@
 name: Test
+permissions:
+  contents: read
 
 on:
   push:
