ci: add token permissions (#305)

Author: bigcat88

.github/codecov.yml

@@ -1,6 +1,3 @@
-codecov:
-  allow_coverage_offsets: true  # Avoid "Missing base report" due to committing with "[CI skip]"
-
 comment:
   layout: "diff, files"
 
@@ -9,3 +6,4 @@ coverage:
     project:
       default:
         threshold: 0.1%
+    patch: off

.github/workflows/build-and-test.yml

@@ -19,6 +19,9 @@ on:
       - "!.coveragerc"
       - "!.gitignore"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Run Tests on Multiple Platforms"

.github/workflows/publish_package.yml

@@ -4,6 +4,9 @@ on:
   release:
     types: [ created ]
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python distributions to PyPI

.github/workflows/pytest.yml

@@ -8,6 +8,11 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  statuses: write
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/ruff_check.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   ruff_check:
     runs-on: ubuntu-latest

.github/workflows/run-on-gpu.yml

@@ -22,6 +22,9 @@ on:
       - "!.coveragerc"
       - "!.gitignore"
 
+permissions:
+  contents: read
+
 jobs:
   test-cli-gpu:
     name: "Run Tests on GPU Runners"

.github/workflows/test-mac.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - comfy_cli/**
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: macos-latest

.github/workflows/test-windows.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - comfy_cli/**
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest