fixup! Add explicit workflow permissions

jahands · jahands · commit 4e0af67eaa7d · 2025-05-14T12:44:29.000-05:00
diff --git a/.github/workflows/branches.yml b/.github/workflows/branches.yml
@@ -10,6 +10,8 @@ jobs:
   test:
     name: Test & Check
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 10
     strategy:
       matrix:
diff --git a/.github/workflows/evals.yml b/.github/workflows/evals.yml
@@ -9,6 +9,8 @@ jobs:
   eval:
     name: Eval
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -11,6 +11,8 @@ jobs:
   deploy-staging:
     name: Deploy (staging)
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 10
     concurrency: ${{ github.workflow }}-deploy-staging
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,11 +11,11 @@ jobs:
   create-release-pr:
     name: Create Release PR
     runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    concurrency: ${{ github.workflow }}-create-release-pr
     permissions:
       contents: write
       pull-requests: write
+    timeout-minutes: 5
+    concurrency: ${{ github.workflow }}-create-release-pr
     outputs:
       published: ${{ steps.create-release-pr.outputs.published }}
     steps:
@@ -48,6 +48,8 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     concurrency: ${{ github.workflow }}-deploy-production
+    permissions:
+      contents: read
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
