ci: Update Github token permissions (#185)

# Summary
Sets explicit permissions on `GITHUB_TOKEN`, to address the issues
flagged by CodeQL scanner.

# Changes
* Permission set on each workflow.
* Update status badges in README to include CodeQL.

Author: toby-coleman

.github/workflows/benchmarks.yaml

@@ -7,9 +7,12 @@ on:
       - synchronize
 
 jobs:
-  lint:
+  benchmark:
     name: Benchmark tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     strategy:
       matrix:
         python_version: [3.12]

.github/workflows/docs.yaml

@@ -16,6 +16,8 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: checkout gh-pages
         uses: actions/checkout@v4

.github/workflows/lint-test.yaml

@@ -10,6 +10,9 @@ on:
       - synchronize
       - reopened
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint code

.github/workflows/pr-check.yaml

@@ -11,6 +11,8 @@ on:
 jobs:
   pr-check:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - name: Check PR title
         uses: amannn/action-semantic-pull-request@v5

.github/workflows/pypi.yaml

@@ -9,6 +9,9 @@ on:
 env:
   PYTHON_VERSION: '3.12'
 
+permissions:
+  contents: read
+
 # See https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
 # Uses https://github.com/astral-sh/uv/issues/6298#issuecomment-2335034247 to set version equivalent to poetry-dynamic-versioning
 jobs:

README.md

@@ -8,21 +8,24 @@
 
 <div align="center" class="badge-section">
   <br>
-  <a href="https://pypi.org/project/plugboard/", alt="PyPI version">
+  <a href="https://pypi.org/project/plugboard/" alt="PyPI version">
     <img alt="PyPI" src="https://img.shields.io/pypi/v/plugboard?labelColor=075D7A&color=CC9C4A"></a>
-  <a href="https://www.python.org/", alt="Python versions">
+  <a href="https://www.python.org/" alt="Python versions">
     <img alt="Python" src="https://img.shields.io/pypi/pyversions/plugboard?labelColor=075D7A&color=CC9C4A"></a>
-  <a href="https://github.com/plugboard-dev/plugboard?tab=Apache-2.0-1-ov-file#readme", alt="License">
+  <a href="https://github.com/plugboard-dev/plugboard?tab=Apache-2.0-1-ov-file#readme" alt="License">
     <img alt="License" src="https://img.shields.io/github/license/plugboard-dev/plugboard?labelColor=075D7A&color=CC9C4A"></a>
-  <a href="https://github.com/plugboard-dev/plugboard", alt="Typed">
+  <a href="https://github.com/plugboard-dev/plugboard" alt="Typed">
     <img alt="Typed" src="https://img.shields.io/pypi/types/plugboard?labelColor=075D7A&color=CC9C4A"></a>
   <br>
-  <a href="https://github.com/plugboard-dev/plugboard/actions/workflows/lint-test.yaml", alt="Lint and test">
+  <a href="https://github.com/plugboard-dev/plugboard/actions/workflows/lint-test.yaml" alt="Lint and test">
     <img alt="Lint and Test" src="https://github.com/plugboard-dev/plugboard/actions/workflows/lint-test.yaml/badge.svg"></a>
-  <a href="https://github.com/plugboard-dev/plugboard/actions/workflows/docs.yaml", alt="Documentation">
-    <img alt="Docs" src="https://github.com/plugboard-dev/plugboard/actions/workflows/docs.yaml/badge.svg"></a>
+  <a href="https://github.com/plugboard-dev/plugboard/actions/workflows/github-code-scanning/codeql" alt="CodeQL">
+    <img alt="CodeQL" src="https://github.com/plugboard-dev/plugboard/actions/workflows/github-code-scanning/codeql/badge.svg"></a>
   <a href="https://codecov.io/gh/plugboard-dev/plugboard" >
     <img src="https://codecov.io/gh/plugboard-dev/plugboard/graph/badge.svg?token=4LU4K6TOLQ"/></a>
+  <br>
+  <a href="https://docs.plugboard.dev" alt="Documentation">
+    <img alt="Docs" src="https://github.com/plugboard-dev/plugboard/actions/workflows/docs.yaml/badge.svg"></a>
 </div>
 
 <hr>