security: Add permissions blocks to workflows, pin codecov action

lukekim · lukekim · commit 83031202eb86 · 2026-01-07T14:04:18.000-08:00
- Add 'permissions: contents: read' to build.yml, lint.yml, test.yml
- Add 'permissions: contents: write' to version.yml (needs write for tags)
- Pin codecov/codecov-action to commit hash v4.5.0
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ on:
       - v*
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   Build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+
 jobs:
   lint-ruff:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -13,6 +13,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test_pip_install:
     runs-on: ubuntu-latest
@@ -157,7 +160,7 @@ jobs:
           pytest --cov=spicepy --cov-report=xml --cov-report=term-missing --ignore=tests/test_main.py tests/
       - name: Upload coverage to Codecov
         if: matrix.python-version == '3.12'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v4.5.0
         with:
           files: ./coverage.xml
           fail_ci_if_error: false
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -8,6 +8,9 @@ on:
       - 'setup.py'
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   check-and-extract:
     runs-on: ubuntu-latest
