Strengthen permissions for GitHub actions workflows

MaddyGuthridge · MaddyGuthridge · commit 4253098ac1e7 · 2025-08-14T20:16:57.000+10:00
diff --git a/.github/workflows/mkdocs-dryrun.yml b/.github/workflows/mkdocs-dryrun.yml
@@ -1,6 +1,9 @@
 name: Generate documentation dryrun
+permissions:
+  contents: read
 on:
-  # Documentation can be either manually updated or is automatically updated when pushed to main branch
+  # Documentation can be either manually updated or is automatically updated
+  # when pushed to main branch
   workflow_dispatch:
   push:
     branches:
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -8,6 +8,7 @@ on:
 
 # Make sure deploy-pages has necessary permissions to deploy to GitHub Pages
 permissions:
+  contents: read
   pages: write
   id-token: write
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,4 +1,6 @@
 name: Publish Package on PyPi
+permissions:
+  contents: read
 
 on:
   release:
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -3,22 +3,23 @@
 
 name: Test and Lint
 
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
 # Yoinked from https://github.com/MTES-MCT/apilos/pull/854/files
 # Explicitly set permissions to allow Dependabot workflow runs to write in the PR
 # for coverage's reporting.
 # By default, these are read-only when the actions are ran by Dependabot
 # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions
 permissions:
+  contents: read
   pull-requests: write
 
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
 jobs:
   Test:
     strategy:
