Declare CI workflow permissions

jeffhandley · jeffhandley · commit 863d23a32f21 · 2025-04-10T12:08:31.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
@@ -3,6 +3,9 @@ name: Code Coverage
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   publish-coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -7,9 +7,9 @@ on:
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
-  actions: read
+  contents: read
   pages: write
-  id-token: write
+  id-token: write # Required for actions/deploy-pages
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -8,6 +8,9 @@ on:
     branches: [ "main" ]
     paths: "**.md"
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
