ci: add minimal permissions to GitHub Actions workflows

tiran · claude · tiran · commit 2e9f9b855ab2 · 2026-04-02T07:29:21.000+02:00
Add top-level `permissions: contents: read` to all three workflows (test, check, python-publish) to follow the GitHub security hardening recommendation of least-privilege token permissions. The publish workflow's existing job-level `id-token: write` override remains intact for trusted publishing. See: #1008 Co-Authored-By: Claude <claude@anthropic.com> Signed-off-by: Christian Heimes <cheimes@redhat.com>
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     name: pre-commit
diff --git a/.github/workflows/python-publish.yaml b/.github/workflows/python-publish.yaml
@@ -6,6 +6,9 @@ name: Upload Python Package
 on:
   - push
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish:
     name: Build and publish Python distributions to PyPI
@@ -15,6 +18,7 @@ jobs:
     environment: release
 
     permissions:
+      contents: read
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
 
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -4,6 +4,9 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   unit:
     name: unit
