Narrows privileges for GitHub workflow in publish.yml

DougReeder · DougReeder · commit c79ae150cbb0 · 2025-11-11T21:57:06.000-05:00
Why: The principle of Least Privilege guards against a vulnerability in the actions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -55,6 +58,11 @@ jobs:
     strategy:
       matrix:
         version: ["3.5.0", "3.4.0", "3.3.1", "2.93.9"]
+    permissions:
+      contents: read
+      actions: write   # essential for uploading artifacts to GitHub's storage
+      id-token: write   # enables authentication with GitHub's cache service
+      packages: write   # required for artifact storage operations
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v5
@@ -110,6 +118,10 @@ jobs:
           if-no-files-found: error
 
   publish:
+    permissions:
+      contents: read
+      actions: write   # essential for uploading artifacts to GitHub's storage
+      packages: write   # enables writing to GitHub's package storage
     needs: test
     runs-on: ubuntu-latest
     timeout-minutes: 20
