diff --git a/.github/workflows/branch-pr-release.yaml b/.github/workflows/branch-pr-release.yaml index 23695b71..b9519ce8 100644 --- a/.github/workflows/branch-pr-release.yaml +++ b/.github/workflows/branch-pr-release.yaml @@ -5,6 +5,10 @@ on: pull_request: branches: - main + +permissions: + contents: read + jobs: build: strategy: @@ -12,6 +16,8 @@ jobs: matrix: os: [macos-latest, ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v5 @@ -22,7 +28,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v6 with: - python-version: "3.x" + python-version: "3.13" - name: Setup NPM run: | npm install diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index bc39ef19..9640fbab 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -4,9 +4,14 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v5 - uses: actions/setup-node@v5 diff --git a/.github/workflows/template-schema-updater.yaml b/.github/workflows/template-schema-updater.yaml index f50181ba..8a688fae 100644 --- a/.github/workflows/template-schema-updater.yaml +++ b/.github/workflows/template-schema-updater.yaml @@ -3,9 +3,16 @@ on: schedule: - cron: '0 */8 * * *' workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow + +permissions: + contents: read + jobs: schema-updater: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - uses: actions/checkout@v5 - uses: actions/checkout@v5 @@ -15,7 +22,7 @@ jobs: ref: main - uses: actions/setup-python@v6 with: - python-version: '3.9' + python-version: '3.13' - name: Install Poetry uses: snok/install-poetry@v1 - run: |