ci: set default permissions for workflows

The default workflow permissions are overly broad; setting permissions explicitly at the workflow level ensures excessive permissions are not unintentionally granted to jobs. For details, see: https://docs.zizmor.sh/audits/#excessive-permissions
2026-03-29 11:52:04 +00:00 · 2026-03-07 10:05:39 -05:00
parent 63844b7904
commit 755087f8ef
20 changed files with 57 additions and 0 deletions
--- a/.github/workflows/optional.yml
+++ b/.github/workflows/optional.yml
@@ -4,6 +4,9 @@ on:
    types: [labeled, opened, synchronize, reopened]
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}