CI: Restrict default permissions

tacaswell · tacaswell · commit c3afa516fb0c · 2025-07-17T23:36:36.000-04:00
Reduces risk of arbitrary code is run by attacker.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,11 +1,11 @@
 name: CI
-permissions:
-  contents: write
-
 on: [push, pull_request]
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
@@ -15,6 +15,9 @@ jobs:
       - uses: pre-commit/action@0764670bf370aab253130d534e1eda7ff497dc60 # v2.0.0
   build:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v2
         with:
