fix: permissions on CI jobs

mayeut · mayeut · commit 614572743af5 · 2025-12-03T21:47:06.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,12 +21,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pre_commit:
     name: Pre-commit checks
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
@@ -63,7 +69,7 @@ jobs:
     needs: build_matrix
     runs-on: ${{ matrix.runner }}
     permissions:
-      packages: write
+      packages: write  # needed to write image cache
       contents: read
     strategy:
       fail-fast: false
@@ -79,6 +85,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 50
+          persist-credentials: false
 
       - name: Set up QEMU
         if: matrix.platform == 'ppc64le' || matrix.platform == 'riscv64' || matrix.platform == 's390x'
diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml
@@ -15,13 +15,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: false
 
+permissions: {}
+
 jobs:
   cleanup:
     if: github.repository == 'pypa/manylinux'
     name: Clean image cache
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write  # needed to delete images
     steps:
       - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
         with:
diff --git a/.github/workflows/multiarch.yml b/.github/workflows/multiarch.yml
@@ -9,12 +9,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Deploy multi-arch images
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install ORAS
         run: sudo snap install oras --classic
       - name: Deploy
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -11,12 +11,23 @@ on:
 env:
   FORCE_COLOR: '1'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   update-dependencies:
     name: Update dependencies
+    permissions:
+      contents: write  # needed to create new branch
+      pull-requests: write  # needed to create PR for the new branch
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: wntrblm/nox@2025.11.12
       with:
         python-versions: "3.12"
