fix(security): add permissions to workflow files

Oumou · Oumou · commit cd5eec383534 · 2026-03-25T01:04:23.000+01:00
Add top-level permissions with contents: read to publish_pypi and
omero_plugin workflows to restrict the default GITHUB_TOKEN scope
and satisfy CodeQL security alerts.
diff --git a/.github/workflows/omero_plugin.yml b/.github/workflows/omero_plugin.yml
@@ -16,14 +16,17 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Run integration tests against OMERO
     runs-on: ubuntu-22.04
     env:
       STAGE: app
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Checkout omero-test-infra
         uses: actions/checkout@master
         with:
diff --git a/.github/workflows/publish_pypi.yml b/.github/workflows/publish_pypi.yml
@@ -5,13 +5,16 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish:
     name: Build and publish Python distribution to PyPI
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.9'
       - name: Build a binary wheel and a source tarball
