Locks down permissions to the job level with least privledge we can get away with

2026-02-16 00:19:32 -06:00 · 2026-02-13 08:44:27 -08:00
parent 8db1c4e08b
commit 6b3e36eee6
13 changed files with 73 additions and 13 deletions
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -21,10 +21,7 @@ on:
 concurrency:
  group: docs-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 env:
  DEFAULT_UV_VERSION: "0.10.x"
  DEFAULT_PYTHON_VERSION: "3.12"
@@ -32,6 +29,8 @@ jobs:
  build:
    name: Build Documentation
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    steps:
      - uses: actions/configure-pages@v5
      - name: Checkout
@@ -67,6 +66,10 @@ jobs:
    needs: build
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}