Add explicit permissions to workflows

Mrtenz · Mrtenz · commit df29b675aa19 · 2026-04-15T11:14:14.000+02:00
diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml
@@ -3,6 +3,9 @@ name: Build, Lint, and Test
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-workflows:
     name: Check workflows
@@ -67,6 +70,7 @@ jobs:
       - check-workflows
       - analyse-code
       - build-lint-test
+    permissions: {}
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}
     steps:
@@ -79,6 +83,7 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-latest
     needs: all-jobs-completed
+    permissions: {}
     steps:
       - name: Check that all jobs have passed
         run: |
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -9,6 +9,10 @@ on:
         required: true
       PUBLISH_DOCS_TOKEN:
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   publish-release:
     permissions:
