Restrict GitHub Actions workflow permissions

dguido · claude · dguido · commit 47ff7dc1d954 · 2026-01-26T13:19:13.000-05:00
Add explicit minimal permissions to all workflows to follow
security best practices (fixes zizmor excessive-permissions audit).

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -8,6 +8,9 @@ on:
     branches: [main, dev]
     paths: ["**/*.py"]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/pip-audit.yaml b/.github/workflows/pip-audit.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [dev, main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -4,8 +4,12 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   build-release:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
