Add appropriate permissions blocks where applicable

lucperkins · lucperkins · commit d47072ed859c · 2025-11-12T18:08:17.000-03:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -8,8 +8,8 @@ jobs:
   build-artifacts:
     runs-on: ${{ matrix.systems.runner }}
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
     env:
       ARTIFACT_KEY: flake-checker-${{ matrix.systems.system }}
     strategy:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -9,6 +9,9 @@ jobs:
   checks:
     name: Nix and Rust checks
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -27,6 +30,9 @@ jobs:
   rust-tests:
     name: Test Rust
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -37,6 +43,9 @@ jobs:
   check-flake-cel-condition:
     name: Check flake.lock test (CEL condition)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -51,6 +60,9 @@ jobs:
   check-flake-dirty:
     name: Check flake.lock test (dirty 😈)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -62,6 +74,9 @@ jobs:
   check-flake-clean:
     name: Check flake.lock test (clean 👼)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -74,6 +89,9 @@ jobs:
     name: Check flake.lock test (dirty 😈 plus fail mode activated)
     runs-on: ubuntu-24.04
     if: false
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
diff --git a/.github/workflows/ref-statuses.yaml b/.github/workflows/ref-statuses.yaml
@@ -7,6 +7,9 @@ on:
 jobs:
   check-ref-statuses:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/update-flake-lock.yaml b/.github/workflows/update-flake-lock.yaml
@@ -8,6 +8,9 @@ on:
 jobs:
   lockfile:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
