From 5c009df0ef245d185c0c1be120f9ba8570e80353 Mon Sep 17 00:00:00 2001 From: Sourabh Sharma Date: Mon, 11 May 2026 22:06:18 +0530 Subject: [PATCH] Limit GitHub Actions token permissions --- .github/workflows/pre-commit.yaml | 2 ++ .github/workflows/publish.yaml | 2 ++ .github/workflows/tests.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index eda8c518a..f5bd2fa83 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -3,6 +3,8 @@ on: pull_request: push: branches: [main, stable] +permissions: + contents: read jobs: main: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index eb5c6a5a5..5d190d58c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -5,6 +5,8 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index db947befe..8a3c9a7e3 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -5,6 +5,8 @@ on: push: branches: [main, stable] paths-ignore: ['docs/**', 'README.md'] +permissions: + contents: read jobs: tests: name: ${{ matrix.name || matrix.python }}