Add permission for workflows

Author: haochengxia

.github/workflows/npm-release.yml

@@ -10,7 +10,8 @@ on:
       - 'libCacheSim-node/**'
 
 permissions:
-  contents: read  # Default permission for reading repository contents
+  contents: read   # 读取仓库内容
+  actions: read    # 读取 artifacts（如果需要）
 
 env:
   BUILD_TYPE: Release

.github/workflows/pypi-release.yml

@@ -1,14 +1,15 @@
 name: Python Package
 
 on:
-  push:
-    branches: ["*"]
-  pull_request:
-      branches: ["*"]
   release:
     types: [published]
   workflow_dispatch:  # Allow manual triggering
 
+permissions:
+  contents: read
+  actions: read
+  id-token: write
+
 jobs:
   build-wheels:
     name: Build wheels on ${{ matrix.os }}
@@ -103,7 +104,7 @@ jobs:
     name: Publish to PyPI
     needs: [build-wheels, build-sdist]
     runs-on: ubuntu-latest
-    # if: github.event_name == 'release' && github.event.action == 'published'
+    if: github.event_name == 'release' && github.event.action == 'published'
     environment:
       name: pypi
       url: https://pypi.org/p/libcachesim
@@ -133,6 +134,7 @@ jobs:
     name: Publish to TestPyPI
     needs: [build-wheels, build-sdist]
     runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
     environment:
       name: testpypi
       url: https://test.pypi.org/p/libcachesim

.github/workflows/python.yml

@@ -2,6 +2,9 @@ name: Python
 
 on: [push, pull_request]
 
+permissions:
+  contents: read  # 读取仓库内容
+
 jobs:
   build:
     runs-on: ubuntu-latest