CI: Restrict default permissions

tacaswell · tacaswell · commit 91ff85107866 · 2025-07-17T23:19:36.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
@@ -1,4 +1,6 @@
 name: Check Code Style - BLACK
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Docs
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Release
+permissions:
+  contents: read
 on:
   release:
     types:
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -1,4 +1,6 @@
 name: Check Code Style - ruff
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Unit Tests
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
