Refine the permission jobs in sphinx workflow

thomass-dev · thomass-dev · commit 6d7dc53a2ebd · 2025-04-24T12:15:50.000+02:00
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -60,6 +60,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   sphinx-changes:
     runs-on: ubuntu-latest
@@ -113,6 +115,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [sphinx-version]
     if: ${{ (contains(fromJSON('["push", "release"]'), github.event_name)) || (needs.sphinx-changes.outputs.changes == 'true') }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -136,9 +140,12 @@ jobs:
     if: ${{ (contains(fromJSON('["push", "release"]'), github.event_name)) }}
     runs-on: ubuntu-latest
     needs: [sphinx-version, sphinx-build]
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        sparse-checkout: .github
 
       - name: Download HTML artifacts
         uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
@@ -158,8 +165,11 @@ jobs:
     if: ${{ github.event_name == 'release' }}
     runs-on: ubuntu-latest
     needs: [sphinx-version, sphinx-build, sphinx-deploy-html]
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        sparse-checkout: .github
       - shell: python
         run: |
             import os
