[actions] restrict permissions

gcanlin · ljharb · commit 0265dc4b2b85 · 2025-10-09T13:30:12.000-07:00
diff --git a/.github/workflows/node-aught.yml b/.github/workflows/node-aught.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js < 10'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/node.yml@main
diff --git a/.github/workflows/node-pretest.yml b/.github/workflows/node-pretest.yml
@@ -2,6 +2,9 @@ name: 'Tests: pretest/posttest'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/pretest.yml@main
diff --git a/.github/workflows/node-tens.yml b/.github/workflows/node-tens.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js >= 10'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/node.yml@main
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -2,8 +2,14 @@ name: Automatic Rebase
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      contents: write
+      pull-requests: read
     name: "Automatic Rebase"
 
     runs-on: ubuntu-latest
diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml
@@ -2,8 +2,13 @@ name: Require “Allow Edits”
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      pull-requests: read
     name: "Require “Allow Edits”"
 
     runs-on: ubuntu-latest
