From 23a83333ce61165b227ea052e386bf4cf95f2ea4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niko=20B=C3=B6ckerman?= <git.585wj@slmail.me>
Date: Sun, 13 Apr 2025 00:46:37 +0300
Subject: [PATCH] ci: Set explicit permissions to workflows

---
 .github/workflows/check-enforce-all-checks.yaml | 4 ++--
 .github/workflows/check-github-actions.yaml     | 2 ++
 .github/workflows/check-mypy.yaml               | 3 ++-
 .github/workflows/check-prettier.yaml           | 3 ++-
 .github/workflows/check-pyright.yaml            | 3 ++-
 .github/workflows/check-renovate-config.yaml    | 2 ++
 .github/workflows/check-ruff.yaml               | 3 ++-
 .github/workflows/check-yarn.yaml               | 3 ++-
 .github/workflows/ci.yaml                       | 3 ++-
 .github/workflows/run-all.yaml                  | 3 ++-
 .github/workflows/test-pytest.yaml              | 3 ++-
 11 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/check-enforce-all-checks.yaml b/.github/workflows/check-enforce-all-checks.yaml
index ab93647..5687ecf 100644
--- a/.github/workflows/check-enforce-all-checks.yaml
+++ b/.github/workflows/check-enforce-all-checks.yaml
@@ -1,9 +1,9 @@
 name: Check - Enforce all checks pass
 on:
   pull_request:
+permissions:
+  checks: read
 
 jobs:
   wf:
     uses: nikobockerman/github-workflows/.github/workflows/check-enforce-all-checks.yaml@c40fd048af4cc60e443fb5e0741812d69716d6a6
-    permissions:
-      checks: read
diff --git a/.github/workflows/check-github-actions.yaml b/.github/workflows/check-github-actions.yaml
index 48f523f..d14d810 100644
--- a/.github/workflows/check-github-actions.yaml
+++ b/.github/workflows/check-github-actions.yaml
@@ -7,6 +7,8 @@ on:
       - "package.json"
       - "yarn.lock"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-mypy.yaml b/.github/workflows/check-mypy.yaml
index f3057c7..f51e90e 100644
--- a/.github/workflows/check-mypy.yaml
+++ b/.github/workflows/check-mypy.yaml
@@ -1,5 +1,4 @@
 name: Check - mypy
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   mypy:
diff --git a/.github/workflows/check-prettier.yaml b/.github/workflows/check-prettier.yaml
index a204b5f..3ad009a 100644
--- a/.github/workflows/check-prettier.yaml
+++ b/.github/workflows/check-prettier.yaml
@@ -1,11 +1,12 @@
 name: Check - prettier
-
 on:
   pull_request:
     paths-ignore:
       - "**.py"
       - "**/py.typed"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-pyright.yaml b/.github/workflows/check-pyright.yaml
index 0767f4c..db37615 100644
--- a/.github/workflows/check-pyright.yaml
+++ b/.github/workflows/check-pyright.yaml
@@ -1,5 +1,4 @@
 name: Check - pyright
-
 on:
   pull_request:
     paths:
@@ -13,6 +12,8 @@ on:
       - "yarn.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   pyright:
diff --git a/.github/workflows/check-renovate-config.yaml b/.github/workflows/check-renovate-config.yaml
index a18a9d7..52dd068 100644
--- a/.github/workflows/check-renovate-config.yaml
+++ b/.github/workflows/check-renovate-config.yaml
@@ -5,6 +5,8 @@ on:
       - ".github/renovate.json5"
       - ".github/workflows/check-renovate-config.yaml"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/check-ruff.yaml b/.github/workflows/check-ruff.yaml
index 824f64e..3e89f9c 100644
--- a/.github/workflows/check-ruff.yaml
+++ b/.github/workflows/check-ruff.yaml
@@ -1,5 +1,4 @@
 name: Check - ruff
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   ruff:
diff --git a/.github/workflows/check-yarn.yaml b/.github/workflows/check-yarn.yaml
index eefa967..3ba2b2e 100644
--- a/.github/workflows/check-yarn.yaml
+++ b/.github/workflows/check-yarn.yaml
@@ -1,5 +1,4 @@
 name: Check - Yarn and dependencies
-
 on:
   pull_request:
     paths:
@@ -7,6 +6,8 @@ on:
       - "package.json"
       - "yarn.lock"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   wf:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7a59512..da23136 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,5 +1,4 @@
 name: CI
-
 on:
   push:
     branches:
@@ -11,6 +10,8 @@ on:
     # Run every Monday at 00:30 UTC
     - cron: "30 0 * * 1"
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   check-github-actions:
diff --git a/.github/workflows/run-all.yaml b/.github/workflows/run-all.yaml
index 3a4b4c0..a8cc8ae 100644
--- a/.github/workflows/run-all.yaml
+++ b/.github/workflows/run-all.yaml
@@ -1,5 +1,4 @@
 name: Run - all
-
 on:
   pull_request:
     paths:
@@ -11,6 +10,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   run-all:
diff --git a/.github/workflows/test-pytest.yaml b/.github/workflows/test-pytest.yaml
index 408eb26..e27f0ab 100644
--- a/.github/workflows/test-pytest.yaml
+++ b/.github/workflows/test-pytest.yaml
@@ -1,5 +1,4 @@
 name: Check - pytest
-
 on:
   pull_request:
     paths:
@@ -10,6 +9,8 @@ on:
       - "uv.lock"
   workflow_call:
   workflow_dispatch:
+permissions:
+  contents: read
 
 jobs:
   pytest: