CI: Restrict default permissions

tacaswell · tacaswell · commit 08b5a555b4e5 · 2025-07-18T14:33:40.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,18 +1,21 @@
 name: CI
-permissions:
-  contents: write
-
 on: [push, pull_request]
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
       - uses: pre-commit/action@v3.0.1
   build:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
