CI: Restrict default permissions

tacaswell · tacaswell · commit ed2a8a4ede26 · 2025-07-17T23:25:20.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
@@ -11,6 +11,10 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
     - uses: actions/checkout@v2
       with:
