CI: Restrict default permissions

tacaswell · tacaswell · commit 03e2714f3c9c · 2025-07-17T23:14:32.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/test_and_publish.yml b/.github/workflows/test_and_publish.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml
@@ -3,6 +3,8 @@
 # the git repo of the changes.
 
 name: "Update Changelog"
+permissions:
+  contents: read
 
 on:
   release:
