ci: scope GITHUB_TOKEN permissions per job

emptyhammond · emptyhammond · commit a81c51881dcf · 2026-05-26T12:36:25.000+01:00
Set a top-level permissions: {} on each workflow and grant each job the
narrowest GITHUB_TOKEN scopes it actually needs (contents: read for
checkout-based jobs, id-token: write preserved for the PyPI trusted
publishing jobs). Previously the workflows ran with the repository's
default token permissions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -11,9 +11,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check:
-
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml
@@ -6,8 +6,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
+    permissions:
+      contents: read
     uses: ably/features/.github/workflows/sdk-features.yml@main
     with:
       repository-name: ably-python
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,8 +6,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,10 +6,14 @@ on:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+*'
 
+permissions: {}
+
 jobs:
   build:
     name: Build distribution 📦
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
