ci: Set explict top-level permissions for GHA (#198)

xhochy · web-flow · commit 75ee03ef3449 · 2025-07-09T13:03:41.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   metadata:
     name: Check if version changed
@@ -137,6 +139,8 @@ jobs:
     needs: [metadata, build, provenance]
     if: needs.metadata.outputs.release == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Download artifacts
diff --git a/.github/workflows/chore.yml b/.github/workflows/chore.yml
@@ -8,6 +8,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   check-pr-title:
     name: Check PR Title
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   pre-commit-checks:
     name: Pre-commit Checks
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "16 22 * * 5"
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
