From 4324bf6835e4482e2eee25022cbb6076b3a84fdd Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 17 Oct 2025 14:19:58 -0700 Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby --- .github/workflows/sphinx.yml | 11 ++++++----- .github/workflows/testing.yml | 3 +++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml index 791556a..ca1feac 100644 --- a/.github/workflows/sphinx.yml +++ b/.github/workflows/sphinx.yml @@ -1,15 +1,13 @@ name: Deploy sphinx site to Pages +permissions: + contents: read + on: push: branches: ["main"] workflow_dispatch: -permissions: - contents: read - pages: write - id-token: write - concurrency: group: "pages" cancel-in-progress: false @@ -36,6 +34,9 @@ jobs: path: ./docs/build/html deploy: + permissions: + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index f7470b2..5a5567c 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,5 +1,8 @@ name: Run tests upon pull request events +permissions: + contents: read + on: pull_request: branches: ["main"]