Locks down permissions to the job level with least privledge we can get away with

2026-02-22 00:49:35 -06:00 · 2026-02-13 08:44:27 -08:00
parent 8db1c4e08b
commit 6b3e36eee6
13 changed files with 73 additions and 13 deletions
--- a/.github/workflows/ci-lint.yml
+++ b/.github/workflows/ci-lint.yml
@@ -9,10 +9,13 @@ on:
 concurrency:
  group: lint-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
+permissions: {}
 jobs:
  lint:
    name: Linting via prek
    runs-on: ubuntu-slim
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v6.0.2