ci: use explicit and per job permissions (#3002)

* ci: use explicit and per job permissions * update CHANGELOG
2026-04-28 11:53:20 -07:00 · 2026-04-07 14:39:41 -06:00
parent c55b06860c
commit 0798528b7b
9 changed files with 20 additions and 12 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,11 +11,10 @@ on:
    types: [edited, published]
  workflow_dispatch: # manual trigger for testing

-permissions:
-  contents: write
-
 jobs:
  build:
+    permissions:
+      contents: read
    name: PyInstaller for ${{ matrix.os }} / Py ${{ matrix.python_version }}
    runs-on: ${{ matrix.os }}
    strategy:
@@ -139,6 +138,8 @@ jobs:
    if: github.event_name == 'release'
    name: zip and upload ${{ matrix.asset_name }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    needs: [build]
    strategy:
      matrix: