CI: Add read-only permission to workflows

Joseph-Edwards · Joseph-Edwards · commit 1a1b71dccce0 · 2026-03-16T13:20:30.000Z
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -1,8 +1,10 @@
 name: codespell
 on: [pull_request]
+permissions:
+  contents: read
 jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: codespell-project/actions-codespell@v2.2
+      - uses: actions/checkout@v6
+      - uses: codespell-project/actions-codespell@v2.2
diff --git a/.github/workflows/config-options.yml b/.github/workflows/config-options.yml
@@ -1,5 +1,7 @@
 name: Config options
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/custom-branch.yml b/.github/workflows/custom-branch.yml
@@ -11,6 +11,8 @@ on:
         required: false
         type: string
         default: libsemigroups/libsemigroups
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
@@ -1,5 +1,7 @@
 name: Check documentation builds
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,5 +1,7 @@
 name: Lint
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml
@@ -1,5 +1,7 @@
 name: Run tests (pip)
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/test-conda.yml b/.github/workflows/test-conda.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - "stable-*"
       - "rc-*"
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -1,5 +1,7 @@
 name: Run tests (GitHub libsemigroups)
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -10,6 +10,8 @@ on:
   pull_request:
     paths:
       - .github/workflows/wheels.yml
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
