From a9833d635dd5201cd94cc9d061590e41e24ea0cc Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 30 May 2025 15:38:00 -0400 Subject: [PATCH] Specify explicit `contents: read` workflow permissions Three CI workflows that need only `contents: read` permissions and no other permissions did not have explicit permissions set, and would therefore be given default permissions configured for the repository, which might be more expansive than the workflows need. It is recommended to set explicit workflow permissions [1]. This does that, specifying permissions as `pythonpackage.yml` already did, and closing three `actions/missing-workflow-permissions` CodeQL alerts (new since #2032 enabled scanning of GHA workflows). [1]: https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/ --- .github/workflows/alpine-test.yml | 3 +++ .github/workflows/cygwin-test.yml | 3 +++ .github/workflows/lint.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/alpine-test.yml b/.github/workflows/alpine-test.yml index bd09a939b..513c65bb8 100644 --- a/.github/workflows/alpine-test.yml +++ b/.github/workflows/alpine-test.yml @@ -2,6 +2,9 @@ name: test-alpine on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/cygwin-test.yml b/.github/workflows/cygwin-test.yml index 278777907..572a9197e 100644 --- a/.github/workflows/cygwin-test.yml +++ b/.github/workflows/cygwin-test.yml @@ -2,6 +2,9 @@ name: test-cygwin on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: test: runs-on: windows-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a0e81a993..ceba0dd85 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Lint on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest