From 0798528b7b735bfe2ddca7472b7db7474b95f3c1 Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Tue, 7 Apr 2026 14:39:41 -0600
Subject: [PATCH] ci: use explicit and per job permissions (#3002)

* ci: use explicit and per job permissions

* update CHANGELOG
---
 .github/workflows/build.yml       | 7 ++++---
 .github/workflows/changelog.yml   | 5 ++---
 .github/workflows/pip-audit.yml   | 2 ++
 .github/workflows/publish.yml     | 2 +-
 .github/workflows/ruff-format.yml | 5 ++---
 .github/workflows/web-deploy.yml  | 5 +++--
 .github/workflows/web-release.yml | 3 +++
 .github/workflows/web-tests.yml   | 2 ++
 CHANGELOG.md                      | 1 +
 9 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index db3b5f1e..6d91762d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,11 +11,10 @@ on:
     types: [edited, published]
   workflow_dispatch: # manual trigger for testing
 
-permissions:
-  contents: write
-
 jobs:
   build:
+    permissions:
+      contents: read
     name: PyInstaller for ${{ matrix.os }} / Py ${{ matrix.python_version }}
     runs-on: ${{ matrix.os }}
     strategy:
@@ -139,6 +138,8 @@ jobs:
     if: github.event_name == 'release'
     name: zip and upload ${{ matrix.asset_name }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [build]
     strategy:
       matrix:
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 20914f43..1b7ebf9e 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -7,11 +7,10 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   check_changelog:
+    permissions:
+      pull-requests: write
     # no need to check for dependency updates via dependabot
     # github.event.pull_request.user.login refers to PR author
     if: |
diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml
index a754b0ac..9a4dfb69 100644
--- a/.github/workflows/pip-audit.yml
+++ b/.github/workflows/pip-audit.yml
@@ -4,6 +4,8 @@ on:
   schedule:
   - cron: '0 8 * * 1'
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6d377429..ec6a773b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,7 +7,7 @@ on:
     types: [published]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   pypi-publish:
diff --git a/.github/workflows/ruff-format.yml b/.github/workflows/ruff-format.yml
index 51a4a342..b1f897bf 100644
--- a/.github/workflows/ruff-format.yml
+++ b/.github/workflows/ruff-format.yml
@@ -9,11 +9,10 @@ on:
       - '**.md'
   workflow_dispatch: # allow manual trigger
 
-permissions:
-  contents: write
-
 jobs:
   ruff-format:
+    permissions:
+      contents: write
     # only run on dependabot PRs or manual trigger
     if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml
index 518230f2..6b728b95 100644
--- a/.github/workflows/web-deploy.yml
+++ b/.github/workflows/web-deploy.yml
@@ -12,8 +12,6 @@ on:
 # Sets the GITHUB_TOKEN permissions to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 # Allow one concurrent deployment
 concurrency:
@@ -105,6 +103,9 @@ jobs:
 
   deploy:
     name: Deploy site to GitHub Pages
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/web-release.yml b/.github/workflows/web-release.yml
index e81f35b2..6e6af894 100644
--- a/.github/workflows/web-release.yml
+++ b/.github/workflows/web-release.yml
@@ -14,6 +14,9 @@ jobs:
   build-and-release:
     needs: run-tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
     - uses: actions/checkout@v4
 
diff --git a/.github/workflows/web-tests.yml b/.github/workflows/web-tests.yml
index 22016a3a..a02f716c 100644
--- a/.github/workflows/web-tests.yml
+++ b/.github/workflows/web-tests.yml
@@ -7,6 +7,8 @@ on:
       - 'web/explorer/**'
   workflow_call:  # this allows the workflow to be called by other workflows
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d613005b..80a44ec8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@
 ### capa Explorer IDA Pro plugin
 
 ### Development
+- ci: use explicit and per job permissions @mike-hunhoff #3002
 - replace black/isort/flake8 with ruff @mike-hunhoff #2992
 
 ### Raw diffs