reduce permissions scope for all github workflows

LockedThread · LockedThread · commit c89f259b176f · 2026-06-19T14:43:15.000Z
diff --git a/.github/workflows/automatic-release.yaml b/.github/workflows/automatic-release.yaml
@@ -13,12 +13,17 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   # workflow_dispatch:
 
+# Deny all GITHUB_TOKEN scopes by default; jobs opt into the minimum they need.
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
   get-labels:
     if: ${{github.event.pull_request.merged == true && !startsWith(github.head_ref, 'release/')}}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       labels: ${{ steps.match-label.outputs.match }}
     steps:
diff --git a/.github/workflows/build-and-validate.yaml b/.github/workflows/build-and-validate.yaml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+# Deny all GITHUB_TOKEN scopes by default; jobs opt into the minimum they need.
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
 
diff --git a/.github/workflows/build-full-matrix.yaml b/.github/workflows/build-full-matrix.yaml
@@ -17,6 +17,9 @@ on:
   schedule:
     - cron: "21 8 * * 1"
 
+# Deny all GITHUB_TOKEN scopes by default; jobs opt into the minimum they need.
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
 
diff --git a/.github/workflows/build-python-base.yaml b/.github/workflows/build-python-base.yaml
@@ -15,6 +15,9 @@ on:
       - main
       - development
 
+# Deny all GITHUB_TOKEN scopes by default; jobs opt into the minimum they need.
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
 
diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml
@@ -8,10 +8,14 @@ on:
     branches: [ main ]
     types: [ opened, labeled, unlabeled, synchronize ]
 
+permissions: {}
+
 jobs:
   contains-labels:
     if: ${{!startsWith(github.head_ref, 'release/')}}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: jesusvasquez333/verify-pr-label-action@v1.4.0
         with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+# Deny all GITHUB_TOKEN scopes by default; jobs opt into the minimum they need.
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
 
