2026-04-11

hyperupcall · hyperupcall · commit b9bd557c241d · 2026-04-11T16:09:44.000-07:00
diff --git a/.github/workflows/update-denylist.yaml b/.github/workflows/update-denylist.yaml
@@ -5,12 +5,18 @@ on:
     - cron: '0 1 */7 * *'
   workflow_dispatch:
 
+concurrency:
+  group: '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   update-and-commit:
     environment: 'otternaut'
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: 'write'
+      contents: 'read'
 
     steps:
       - name: 'Checkout repository'
@@ -31,6 +37,8 @@ jobs:
           passphrase: '${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}'
 
       - name: 'Commit'
+        permissions:
+          contents: 'write'
         run: |
           _date=$(date '+%Y-%m-%d')
           git add config/ublacklist-compiled.txt
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
@@ -3,6 +3,12 @@ on:
   push:
     branches: ['trunk']
 
+concurrency:
+  group: '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   validate:
     runs-on: 'ubuntu-latest'
diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
@@ -5,15 +5,13 @@ on:
     branches: ['trunk']
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
-  group: 'pages'
+  group: '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: 'ubuntu-latest'
@@ -47,6 +45,9 @@ jobs:
           path: './docs/_site'
 
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
