Restrict workflow permissions (#47)

trask · web-flow · commit b538ddf637c7 · 2025-02-11T06:04:48.000-08:00
diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -7,8 +7,13 @@ on:
         description: The version to tag the release with, e.g., 1.2.0, 1.2.1-alpha.1
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write # for creating the release
     name: Build
     runs-on: ubuntu-latest
     steps:
