actions: restrict permissions in jobs

oscarbenjamin · oscarbenjamin · commit 9979b578dc2d · 2026-04-04T12:49:45.000+01:00
diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml
@@ -2,6 +2,9 @@ name: Build
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 env:
   # These four values need to be kept in sync. Each pyodide version pins an
   # emscripten version and a CPython version.
@@ -155,6 +158,7 @@ jobs:
     needs: build_wheels
     name: Test ${{ matrix.python-version }} wheel on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions: {}
     strategy:
       fail-fast: false
       matrix:
@@ -200,6 +204,7 @@ jobs:
     needs: build_wheels
     name: Test Pyodide wheel
     runs-on: ubuntu-22.04
+    permissions: {}
 
     steps:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -400,6 +405,7 @@ jobs:
     # Run on push/merge to main
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    permissions: {}
 
     steps:
         # Downloads all artifacts
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@ name: Linting
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
