Set permissions on GitHub workflows

jeffhandley · jeffhandley · commit 1538864c122a · 2025-04-09T21:07:57.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
@@ -3,6 +3,10 @@ name: Code Coverage
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   publish-coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -1,10 +1,13 @@
 name: Check Markdown links
 
 on:
-    push:
-      branches: [ "main" ]
-    pull_request:
-      branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
 
 jobs:
   markdown-link-check:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,6 +40,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     steps:
     - name: Clone the repo
       uses: actions/checkout@v4
@@ -64,6 +67,9 @@ jobs:
     env:
       version_suffix_args: ${{ github.event_name != 'release' && format('--version-suffix "{0}"', inputs.version_suffix_override || format('ci.{0}', github.run_number)) || '' }}
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@v4
 
@@ -89,7 +95,13 @@ jobs:
 
   publish-package:
     needs: build-package
+
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@v4
 
