Limit permissions to content read for most workflows

neomatamune · neomatamune · commit 33d5ff2c0127 · 2025-10-13T09:38:06.000+02:00
diff --git a/.github/workflows/check_untested_functions.yml b/.github/workflows/check_untested_functions.yml
@@ -1,5 +1,8 @@
 name: Check Untested Functions
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,5 +1,8 @@
 name: Lint
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
diff --git a/.github/workflows/old_issues_unit_tests.yml b/.github/workflows/old_issues_unit_tests.yml
@@ -1,10 +1,14 @@
 name: issues_unit_tests
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
       - "main"
-  pull_request: 
-    types: 
+  pull_request:
+    types:
       - opened
       - synchronize
 env:
@@ -22,4 +26,4 @@ jobs:
       - run: pip install -e .[doc]
       - name: run tests
         shell: bash
-        run: /bin/bash issues_tests/run_tests
+        run: /bin/bash issues_tests/run_tests
diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
@@ -1,5 +1,8 @@
 name: Publish Python 🐍 distributions 📦 to PyPI and TestPyPI
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
diff --git a/.github/workflows/track_dependencies.yml b/.github/workflows/track_dependencies.yml
@@ -1,10 +1,13 @@
 name: Track Dependencies
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
       - main
-      
+
 jobs:
   generate-sbom:
     runs-on: ubuntu-latest
@@ -28,4 +31,3 @@ jobs:
           apikey: ${{ secrets.DEPENDENCY_TRACK_API_KEY }}
           project: '1e001e58-586c-4f01-b5f6-3b94a7c34c43'
           bomfilename: 'sbom.json'
-    
