CI: Restrict default permissions

tacaswell · tacaswell · commit 510553468d38 · 2025-07-18T14:21:49.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
@@ -1,4 +1,6 @@
 name: Lighthouse
+permissions:
+  contents: read
 on: [push, pull_request]
 jobs:
   CI:
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
@@ -1,4 +1,6 @@
 name: Linting
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
@@ -1,4 +1,6 @@
 name: Push to PyPI
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,7 +10,10 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Linting
+permissions:
+  contents: read
 on: [pull_request]
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Release
+permissions:
+  contents: read
 on:
   release:
     types:
