diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 5e50cce..498e1a6 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -11,12 +11,14 @@ on: - reopened - opened -permissions: - pull-requests: write +# Limit token permissions for security +permissions: read-all jobs: add-to-project: uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main + permissions: + pull-requests: write with: board-number: 18 app-id: ${{ vars.ADD_TO_BOARD_APP_ID }} diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 5100c0a..fb8f25b 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -21,9 +21,12 @@ on: branches: - main -permissions: - contents: write +# Limit token permissions for security +permissions: read-all jobs: build: uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main + # Permissions needed for pushing to the coverage branch. + permissions: + contents: write diff --git a/.github/workflows/sync-files.yml b/.github/workflows/sync-files.yml index 8ffac82..04d93ca 100644 --- a/.github/workflows/sync-files.yml +++ b/.github/workflows/sync-files.yml @@ -5,6 +5,9 @@ on: - main workflow_dispatch: +# Limit token permissions for security +permissions: read-all + jobs: sync: uses: seedcase-project/.github/.github/workflows/reusable-sync-files.yml@main diff --git a/.github/workflows/update-version.yml b/.github/workflows/update-version.yml index 2196433..03aa554 100644 --- a/.github/workflows/update-version.yml +++ b/.github/workflows/update-version.yml @@ -5,11 +5,14 @@ on: branches: - main -permissions: - contents: write +# Limit token permissions for security +permissions: read-all jobs: update-version: + # Only give permissions for this job. + permissions: + contents: write uses: seedcase-project/.github/.github/workflows/reusable-update-python-project-version.yml@main with: app-id: ${{ vars.UPDATE_VERSION_APP_ID }}