From 1a1b71dccce04d4c7e25a92ea4d18189e1d9f065 Mon Sep 17 00:00:00 2001 From: Joseph Edwards Date: Mon, 16 Mar 2026 13:20:30 +0000 Subject: [PATCH] CI: Add read-only permission to workflows --- .github/workflows/codespell.yml | 6 ++++-- .github/workflows/config-options.yml | 2 ++ .github/workflows/custom-branch.yml | 2 ++ .github/workflows/doc.yml | 2 ++ .github/workflows/lint.yml | 2 ++ .github/workflows/pip.yml | 2 ++ .github/workflows/test-conda.yml | 2 ++ .github/workflows/tests.yml | 2 ++ .github/workflows/wheels.yml | 2 ++ 9 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index a7d4daf9..0af81a55 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -1,8 +1,10 @@ name: codespell on: [pull_request] +permissions: + contents: read jobs: codespell: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: codespell-project/actions-codespell@v2.2 + - uses: actions/checkout@v6 + - uses: codespell-project/actions-codespell@v2.2 diff --git a/.github/workflows/config-options.yml b/.github/workflows/config-options.yml index a68a3c51..d7a5ca28 100644 --- a/.github/workflows/config-options.yml +++ b/.github/workflows/config-options.yml @@ -1,5 +1,7 @@ name: Config options on: [pull_request, workflow_dispatch] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/custom-branch.yml b/.github/workflows/custom-branch.yml index ac7db991..de4bed07 100644 --- a/.github/workflows/custom-branch.yml +++ b/.github/workflows/custom-branch.yml @@ -11,6 +11,8 @@ on: required: false type: string default: libsemigroups/libsemigroups +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 686a45d9..11ee08c6 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -1,5 +1,7 @@ name: Check documentation builds on: [pull_request, workflow_dispatch] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 97a9f358..fc44d01d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,7 @@ name: Lint on: [pull_request, workflow_dispatch] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml index c75a219e..28a99e1f 100644 --- a/.github/workflows/pip.yml +++ b/.github/workflows/pip.yml @@ -1,5 +1,7 @@ name: Run tests (pip) on: [pull_request, workflow_dispatch] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/test-conda.yml b/.github/workflows/test-conda.yml index eb133556..91f84bb4 100644 --- a/.github/workflows/test-conda.yml +++ b/.github/workflows/test-conda.yml @@ -5,6 +5,8 @@ on: branches: - "stable-*" - "rc-*" +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3ef3bb3b..65b3a4dc 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,5 +1,7 @@ name: Run tests (GitHub libsemigroups) on: [pull_request, workflow_dispatch] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index c1ae7c22..9bd8799d 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -10,6 +10,8 @@ on: pull_request: paths: - .github/workflows/wheels.yml +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }}