Merge pull request #1015 from tiran/minimal-permissions

ci: add minimal permissions to GitHub Actions workflows

Author: mergify[bot]

.github/workflows/check.yaml

@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     name: pre-commit

.github/workflows/python-publish.yaml

@@ -6,6 +6,9 @@ name: Upload Python Package
 on:
   - push
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish:
     name: Build and publish Python distributions to PyPI
@@ -15,6 +18,7 @@ jobs:
     environment: release
 
     permissions:
+      contents: read
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
 

.github/workflows/test.yaml

@@ -4,6 +4,9 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   unit:
     name: unit