ci: 🔒 explicitly set permissions, move to job-level (#84)

lwjohnst86 · web-flow · commit defe71278ea4 · 2025-06-06T19:52:02.000+02:00
# Description

This applies some security settings as recommended by OpenSSF.

No review needed.
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -11,12 +11,14 @@ on:
       - reopened
       - opened
 
-permissions:
-  pull-requests: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   add-to-project:
     uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    permissions:
+      pull-requests: write
     with:
       board-number: 18
       app-id: ${{ vars.ADD_TO_BOARD_APP_ID }}
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -21,9 +21,12 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   build:
     uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write
diff --git a/.github/workflows/sync-files.yml b/.github/workflows/sync-files.yml
@@ -5,6 +5,9 @@ on:
       - main
   workflow_dispatch:
 
+# Limit token permissions for security
+permissions: read-all
+
 jobs:
   sync:
     uses: seedcase-project/.github/.github/workflows/reusable-sync-files.yml@main
diff --git a/.github/workflows/update-version.yml b/.github/workflows/update-version.yml
@@ -5,11 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   update-version:
+    # Only give permissions for this job.
+    permissions:
+      contents: write
     uses: seedcase-project/.github/.github/workflows/reusable-update-python-project-version.yml@main
     with:
       app-id: ${{ vars.UPDATE_VERSION_APP_ID }}
