diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86230d6..4d13395 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,8 @@ jobs: name: Check runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@v5 @@ -63,6 +65,8 @@ jobs: name: Security Audit runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - uses: actions/checkout@v5 @@ -92,6 +96,8 @@ jobs: needs: [check] runs-on: ${{ matrix.os }} timeout-minutes: 45 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -149,6 +155,9 @@ jobs: needs: [check] runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read + actions: write # For uploading artifacts steps: - uses: actions/checkout@v5 @@ -199,6 +208,8 @@ jobs: needs: [check] runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read steps: - uses: actions/checkout@v5 @@ -221,6 +232,8 @@ jobs: needs: [check] runs-on: ubuntu-latest timeout-minutes: 25 + permissions: + contents: read steps: - uses: actions/checkout@v5 @@ -252,6 +265,8 @@ jobs: needs: [test] runs-on: ubuntu-latest timeout-minutes: 25 + permissions: + contents: read steps: - uses: actions/checkout@v5 @@ -291,6 +306,8 @@ jobs: needs: [check, security, test, coverage, msrv, benchmark] runs-on: ubuntu-latest if: always() + permissions: + contents: read steps: - name: Check all jobs run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86f3f1e..3125438 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,9 @@ jobs: name: Build Release (${{ matrix.target }}) runs-on: ${{ matrix.os }} timeout-minutes: 45 + permissions: + contents: read + actions: write # For uploading artifacts strategy: fail-fast: false matrix: