chore(ci): narrow token permissions

JP-Ellis · JP-Ellis · commit 837a14b692de · 2025-07-22T11:23:02.000+10:00
Signed-off-by: JP-Ellis &lt;josh@jpellis.me&gt;
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
@@ -11,9 +11,12 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
-  cancel-in-progress: true
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   STABLE_PYTHON_VERSION: '3.13'
@@ -142,10 +145,9 @@ jobs:
       - build-wheels
 
     permissions:
+      contents: read
       # Required for trusted publishing
       id-token: write
-      # Required for release creation
-      contents: write
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -11,9 +11,12 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
-  cancel-in-progress: true
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   STABLE_PYTHON_VERSION: '3.13'
@@ -216,10 +219,9 @@ jobs:
       - build-arm64
 
     permissions:
+      contents: read
       # Required for trusted publishing
       id-token: write
-      # Required for release creation
-      contents: write
 
     steps:
       - name: Checkout code
