diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e2f79f3..0c3cf88 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,7 +10,6 @@ jobs: name: Upload release to PyPI runs-on: ubuntu-latest permissions: - contents: read # Allow use of GitHub OIDC for PyPI authentication id-token: write steps: diff --git a/.github/workflows/scan-workflows.yml b/.github/workflows/scan-workflows.yml index fb84502..d87e954 100644 --- a/.github/workflows/scan-workflows.yml +++ b/.github/workflows/scan-workflows.yml @@ -15,11 +15,8 @@ jobs: build: runs-on: ubuntu-latest permissions: - # required for all workflows + # Write access needed to upload SARIF scan results security-events: write - # only required for workflows in private repositories - actions: read - contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73c891f..04e80ef 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,9 +28,6 @@ defaults: # This also implies `set -eo pipefail` (rather than just `set -e`) shell: bash -permissions: - contents: read - jobs: tests: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/update-expected-output.yml b/.github/workflows/update-expected-output.yml index f43940a..b2b002e 100644 --- a/.github/workflows/update-expected-output.yml +++ b/.github/workflows/update-expected-output.yml @@ -21,9 +21,6 @@ defaults: # This also implies `set -eo pipefail` (rather than just `set -e`) shell: bash -permissions: - contents: read - jobs: timestamp: runs-on: ubuntu-20.04 @@ -178,6 +175,7 @@ jobs: # Need to check the output for each matrix job separately due to GitHub matrix output limitations if: needs.test.outputs.want-pr-linux || needs.test.outputs.want-pr-windows || needs.test.outputs.want-pr-macos permissions: + # Creating PRs involves more than just read permissions contents: write pull-requests: write steps: