Add explicit read permissions to workflows (#28)

rnro · web-flow · commit 8bc237c565de · 2025-11-03T10:17:32.000Z
Motivation:

* More secure GitHub Actions workflows

Modifications:

Add explicit 'contents: read' permissions to workflows that did not have
explicit permissions defined. This follows GitHub Actions security best
practices by limiting the default GITHUB_TOKEN permissions.

Result:

An extra layer of security.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,5 +1,8 @@
 name: Main
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: PR
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml
@@ -1,5 +1,8 @@
 name: PR
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
diff --git a/.github/workflows/soundness.yml b/.github/workflows/soundness.yml
@@ -1,5 +1,8 @@
 name: Soundness
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
