CI: Restrict default permissions

tacaswell · tacaswell · commit 391a4de3cbcb · 2025-07-17T23:36:32.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,12 +1,13 @@
 name: CI
-permissions:
-  contents: write
 
 on: [push, pull_request]
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v4
         with:
