Merge pull request #339 from incertum/chore/workflow-permissions

alexanderjordanbaker · web-flow · commit e5b556b0d33b · 2025-10-28T10:10:04.000-07:00
chore: restrict GitHub workflow permissions - future-proof
diff --git a/.github/workflows/ci-prb.yml b/.github/workflows/ci-prb.yml
@@ -1,5 +1,8 @@
 name: PR Builder
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
diff --git a/.github/workflows/ci-release-docs.yml b/.github/workflows/ci-release-docs.yml
@@ -1,10 +1,9 @@
 name: Doc Builder
+permissions:
+  contents: read
 on:
   release:
     types: [published]
-permissions:
-  pages: write
-  id-token: write
 jobs:
   build:
     name: Doc Builder
@@ -26,6 +25,9 @@ jobs:
         with:
           path: docs
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
@@ -1,4 +1,6 @@
 name: Publish Library
+permissions:
+  contents: read
 on:
   release:
     types: [published]
