Merge pull request #228 from nikobockerman/ci-set-workflow-permissions

nikobockerman · web-flow · commit 77d4126d29d8 · 2025-04-13T00:49:06.000+03:00
ci: Set explicit permissions to workflows
diff --git a/.github/workflows/check-enforce-all-checks.yaml b/.github/workflows/check-enforce-all-checks.yaml
@@ -1,9 +1,9 @@
 name: Check - Enforce all checks pass
 on:
   pull_request:
+permissions:
+  checks: read
 
 jobs:
   wf:
     uses: nikobockerman/github-workflows/.github/workflows/check-enforce-all-checks.yaml@c40fd048af4cc60e443fb5e0741812d69716d6a6
-    permissions:
-      checks: read
diff --git a/.github/workflows/check-github-actions.yaml b/.github/workflows/check-github-actions.yaml
@@ -7,6 +7,8 @@ on:
       - "package.json"
       - "yarn.lock"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-mypy.yaml b/.github/workflows/check-mypy.yaml
@@ -1,5 +1,4 @@
 name: Check - mypy
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   mypy:
diff --git a/.github/workflows/check-prettier.yaml b/.github/workflows/check-prettier.yaml
@@ -1,11 +1,12 @@
 name: Check - prettier
-
 on:
   pull_request:
     paths-ignore:
       - "**.py"
       - "**/py.typed"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-pyright.yaml b/.github/workflows/check-pyright.yaml
@@ -1,5 +1,4 @@
 name: Check - pyright
-
 on:
   pull_request:
     paths:
@@ -13,6 +12,8 @@ on:
       - "yarn.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   pyright:
diff --git a/.github/workflows/check-renovate-config.yaml b/.github/workflows/check-renovate-config.yaml
@@ -5,6 +5,8 @@ on:
       - ".github/renovate.json5"
       - ".github/workflows/check-renovate-config.yaml"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-ruff.yaml b/.github/workflows/check-ruff.yaml
@@ -1,5 +1,4 @@
 name: Check - ruff
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   ruff:
diff --git a/.github/workflows/check-yarn.yaml b/.github/workflows/check-yarn.yaml
@@ -1,12 +1,13 @@
 name: Check - Yarn and dependencies
-
 on:
   pull_request:
     paths:
       - ".github/workflows/check-yarn.yaml"
       - "package.json"
       - "yarn.lock"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,5 +1,4 @@
 name: CI
-
 on:
   push:
     branches:
@@ -11,6 +10,8 @@ on:
     # Run every Monday at 00:30 UTC
     - cron: "30 0 * * 1"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   check-github-actions:
diff --git a/.github/workflows/run-all.yaml b/.github/workflows/run-all.yaml
@@ -1,5 +1,4 @@
 name: Run - all
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   run-all:
diff --git a/.github/workflows/test-pytest.yaml b/.github/workflows/test-pytest.yaml
@@ -1,5 +1,4 @@
 name: Check - pytest
-
 on:
   pull_request:
     paths:
@@ -10,6 +9,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   pytest:
