ci: Avoid overly broad permissions for workflow jobs - Add specific ones for those using secrets

ecoussoux-ansys · ecoussoux-ansys · commit 7fa63b2311ae · 2025-10-09T16:56:38.000+02:00
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -14,6 +14,8 @@ env:
     MAIN_PYTHON_VERSION: 3.13
     DOCUMENTATION_CNAME: tools.docs.pyansys.com
 
+permissions: {} # Disable default permissions
+
 jobs:
 
     update-changelog:
@@ -34,31 +36,34 @@ jobs:
     # check-vulnerabilities:
     #   name: "Check library vulnerabilities"
     #   runs-on: ubuntu-latest
+    #   permissions:
+    #     contents: read
     #   steps:
-    #     - uses: ansys/actions/check-vulnerabilities@v10.0
+    #     - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
     #       with:
     #         python-version: ${{ env.MAIN_PYTHON_VERSION }}
     #         token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
     #         python-package-name: ${{ env.PACKAGE_NAME }}
     #         dev-mode: ${{ github.ref != 'refs/heads/main' }}
 
     style:
-        name: Code style
-        runs-on: ubuntu-latest
-        steps:
-          - name: PyAnsys code style checks
-            uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
-            with:
-              python-version: ${{ env.MAIN_PYTHON_VERSION }}
+      name: Code style
+      runs-on: ubuntu-latest
+      steps:
+        - name: PyAnsys code style checks
+          uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
+          with:
+            python-version: ${{ env.MAIN_PYTHON_VERSION }}
+    
     smoke-tests:
-        name: Build and Smoke tests
-        runs-on: ${{ matrix.os }}
-        strategy:
-            fail-fast: false
-            matrix:
-                os: [ubuntu-latest, windows-latest, macos-latest]
-                python-version: ['3.10', '3.11', '3.12']
-        steps:
+      name: Build and Smoke tests
+      runs-on: ${{ matrix.os }}
+      strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-latest, windows-latest, macos-latest]
+          python-version: ['3.10', '3.11', '3.12']
+      steps:
         - name: Build wheelhouse and perform smoke test
           uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
@@ -71,6 +76,8 @@ jobs:
       name: Testing
       runs-on: ubuntu-latest
       needs: [smoke-tests]
+      permissions:
+        contents: read
       env:
         ANSYS_LOCAL: false
         ON_UBUNTU: true
@@ -99,14 +106,16 @@ jobs:
             uv pip install tests/launcher/pkg_with_entrypoint
             uv run pytest
 
-        # - uses: codecov/codecov-action@v5
+        # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         #   name: 'Upload coverage to CodeCov'
         #   with:
         #     token: ${{ secrets.CODECOV_TOKEN }}
 
     docs-style:
       name: Documentation Style Check
       runs-on: ubuntu-latest
+      permissions:
+        contents: read
       steps:
         - name: PyAnsys documentation style checks
           uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
@@ -178,6 +187,8 @@ jobs:
       if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
       runs-on: ubuntu-latest
       needs: [release]
+      permissions:
+        contents: write
       steps:
         - name: Deploy the stable documentation
           uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {} # Disable default permissions
+
 jobs:
 
   label-syncer:
diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml
@@ -13,6 +13,10 @@ env:
     PACKAGE_NAME: ansys-tools-common
     MAIN_PYTHON_VERSION: 3.13
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build-tests:
     name: Build tests
@@ -50,7 +54,7 @@ jobs:
         uv pip install tests/launcher/pkg_with_entrypoint
         uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html
 
-      # - uses: codecov/codecov-action@v5
+      # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       #   name: 'Upload coverage to CodeCov'
       #   with:
       #     token: ${{ secrets.CODECOV_TOKEN }}
