ci: use explicit and per job permissions (#3002)

* ci: use explicit and per job permissions * update CHANGELOG
2026-04-28 03:43:21 -07:00 · 2026-04-07 14:39:41 -06:00
parent c55b06860c
commit 0798528b7b
9 changed files with 20 additions and 12 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,11 +11,10 @@ on:
    types: [edited, published]
  workflow_dispatch: # manual trigger for testing

-permissions:
-  contents: write
-
 jobs:
  build:
+    permissions:
+      contents: read
    name: PyInstaller for ${{ matrix.os }} / Py ${{ matrix.python_version }}
    runs-on: ${{ matrix.os }}
    strategy:
@@ -139,6 +138,8 @@ jobs:
    if: github.event_name == 'release'
    name: zip and upload ${{ matrix.asset_name }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    needs: [build]
    strategy:
      matrix:
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -7,11 +7,10 @@ on:
  pull_request_target:
    types: [opened, edited, synchronize]

-permissions:
-  pull-requests: write
-
 jobs:
  check_changelog:
+    permissions:
+      pull-requests: write
    # no need to check for dependency updates via dependabot
    # github.event.pull_request.user.login refers to PR author
    if: |
--- a/.github/workflows/pip-audit.yml
+++ b/.github/workflows/pip-audit.yml
@@ -4,6 +4,8 @@ on:
  schedule:
  - cron: '0 8 * * 1'

+permissions: read-all
+
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,7 +7,7 @@ on:
    types: [published]

 permissions:
-  contents: write
+  contents: read

 jobs:
  pypi-publish:
--- a/.github/workflows/ruff-format.yml
+++ b/.github/workflows/ruff-format.yml
@@ -9,11 +9,10 @@ on:
      - '**.md'
  workflow_dispatch: # allow manual trigger

-permissions:
-  contents: write
-
 jobs:
  ruff-format:
+    permissions:
+      contents: write
    # only run on dependabot PRs or manual trigger
    if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-22.04
--- a/.github/workflows/web-deploy.yml
+++ b/.github/workflows/web-deploy.yml
@@ -12,8 +12,6 @@ on:
 # Sets the GITHUB_TOKEN permissions to allow deployment to GitHub Pages
 permissions:
  contents: read
-  pages: write
-  id-token: write

 # Allow one concurrent deployment
 concurrency:
@@ -105,6 +103,9 @@ jobs:

  deploy:
    name: Deploy site to GitHub Pages
+    permissions:
+      pages: write
+      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
--- a/.github/workflows/web-release.yml
+++ b/.github/workflows/web-release.yml
@@ -14,6 +14,9 @@ jobs:
  build-and-release:
    needs: run-tests
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
    - uses: actions/checkout@v4

--- a/.github/workflows/web-tests.yml
+++ b/.github/workflows/web-tests.yml
@@ -7,6 +7,8 @@ on:
      - 'web/explorer/**'
  workflow_call:  # this allows the workflow to be called by other workflows

+permissions: read-all
+
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@
 ### capa Explorer IDA Pro plugin

 ### Development
+- ci: use explicit and per job permissions @mike-hunhoff #3002
 - replace black/isort/flake8 with ruff @mike-hunhoff #2992

 ### Raw diffs