CI: Restrict default permissions

tacaswell · tacaswell · commit f89172e699da · 2025-07-17T23:19:31.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
@@ -1,4 +1,6 @@
 name: Lint with Black
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml
@@ -1,4 +1,6 @@
 name: Coverage (with doctests)
+permissions:
+  contents: read
 on:
   push:
     branches: [ master ]
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
 name: Publish Python Package
+permissions:
+  contents: read
 
 on:
   release:
diff --git a/.github/workflows/python-runlinter.yml b/.github/workflows/python-runlinter.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: Lint with flake8
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/python-runtests-all.yml b/.github/workflows/python-runtests-all.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: Run units test (w/ img comps)
+permissions:
+  contents: read
 
 on:
   push:
