Revisit GitHub Actions

r-brown · r-brown · commit 2afc75c4e1a1 · 2026-05-15T08:51:23.000+02:00
diff --git a/.github/workflows/netlicensing-publish-pypi.yml b/.github/workflows/netlicensing-publish-pypi.yml
@@ -16,10 +16,16 @@ on:
   release:
     types: [published]
 
+# Restrict the default GITHUB_TOKEN to read-only.
+# The publish job adds id-token: write for OIDC Trusted Publisher.
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Test before publish"
     runs-on: ubuntu-latest
+    # inherits workflow-level permissions: contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/netlicensing-publish-testpypi.yml b/.github/workflows/netlicensing-publish-testpypi.yml
@@ -21,10 +21,16 @@ on:
     branches: [master]
   workflow_dispatch:
 
+# Restrict the default GITHUB_TOKEN to read-only.
+# The publish job adds id-token: write for OIDC Trusted Publisher.
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Test before publish"
     runs-on: ubuntu-latest
+    # inherits workflow-level permissions: contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/netlicensing-python-ci.yml b/.github/workflows/netlicensing-python-ci.yml
@@ -9,6 +9,11 @@ on:
   pull_request:
     branches: [master]
 
+# Restrict the default GITHUB_TOKEN to read-only.
+# Individual jobs add back only the permissions they need.
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Test · Python ${{ matrix.python-version }}"
diff --git a/.github/workflows/netlicensing-python-dependency.yml b/.github/workflows/netlicensing-python-dependency.yml
@@ -10,6 +10,10 @@ on:
     - cron: "0 6 * * 1"   # every Monday at 06:00 UTC
   workflow_dispatch:
 
+# Restrict the default GITHUB_TOKEN to read-only.
+permissions:
+  contents: read
+
 jobs:
   smoke-test:
     name: "Smoke test · Python ${{ matrix.python-version }}"
