ci: add least-privilege permissions to all workflows (#24)

Add explicit `permissions` blocks to workflows that were missing them
and replace overly broad `write-all` with specific permissions.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
John Kennedy
2026-02-28 13:19:34 -08:00
committed by GitHub
parent 1b74f480ce
commit 77bdcdaf36
6 changed files with 20 additions and 1 deletions
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
UV_FROZEN: "true"
+3
View File
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
UV_FROZEN: "true"
WORKDIR: ${{ inputs.working-directory == '' && '.' || inputs.working-directory }}
+5 -1
View File
@@ -19,6 +19,9 @@ on:
default: false
description: "Release from a non-master branch (danger!)"
permissions:
contents: read
env:
PYTHON_VERSION: "3.11"
UV_FROZEN: "true"
@@ -82,7 +85,8 @@ jobs:
- build
uses:
./.github/workflows/_test_release.yml
permissions: write-all
permissions:
id-token: write
with:
working-directory: ${{ inputs.working-directory }}
dangerous-nonmaster-release: ${{ inputs.dangerous-nonmaster-release }}
+3
View File
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
UV_FROZEN: "true"
UV_NO_SYNC: "true"
+3
View File
@@ -13,6 +13,9 @@ on:
default: false
description: "Release from a non-master branch (danger!)"
permissions:
contents: read
env:
PYTHON_VERSION: "3.11"
UV_FROZEN: "true"
+3
View File
@@ -12,6 +12,9 @@ on:
# There's no point in testing an outdated version of the code. GitHub only allows
# a limited number of job runners to be active at the same time, so it's better to cancel
# pointless jobs early so that more useful jobs can run sooner.
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true