ci: explicit permissions for actions (#702)

doublethink · web-flow · commit 485d7ff17f86 · 2025-04-15T11:49:37.000+12:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,10 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   test:
     name: Test / OS ${{ matrix.os }} / Python ${{ matrix.python-version }}
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
@@ -6,7 +6,7 @@ on:
       - master
       - release/*
 
-  pull_request_target:
+  pull_request:
     branches:
       - master
       - release/*
@@ -16,6 +16,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   check-conventional-commits:
     runs-on: ubuntu-latest
@@ -26,7 +29,7 @@ jobs:
           sparse-checkout: |
             .github
 
-      - if: ${{ github.event_name == 'pull_request_target' }}
+      - if: ${{ github.event_name == 'pull_request' }}
         run: |
           set -ex
 
diff --git a/.github/workflows/manual_pypi_publish.yml b/.github/workflows/manual_pypi_publish.yml
@@ -2,6 +2,9 @@ name: Manual PyPi Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test / OS ${{ matrix.os }} / Python ${{ matrix.python-version }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,6 +4,11 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 jobs:
   mark_stale:
     name: Mark issues and PRs as Stale
