Specify explicit contents: read workflow permissions

EliahKagan · EliahKagan · commit d670878b4a6f · 2025-05-30T15:40:12.000-04:00
Three CI workflows that need only `contents: read` permissions and no other permissions did not have explicit permissions set, and would therefore be given permissions configured for the repository. It is recommended to set explicit workflow permissions. This does so, bringing those workflows inline with `pythonpackage.yml` (which had this), and closing three `actions/missing-workflow-permissions` CodeQL alerts (new since #2032 enabled scanning of GHA workflows). See also: https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/
diff --git a/.github/workflows/alpine-test.yml b/.github/workflows/alpine-test.yml
@@ -2,6 +2,9 @@ name: test-alpine
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cygwin-test.yml b/.github/workflows/cygwin-test.yml
@@ -2,6 +2,9 @@ name: test-cygwin
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
