security(workflows): add permissions

Kitt3120 · Kitt3120 · commit 1a304cfd83d5 · 2025-07-25T23:14:12.000+02:00
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -17,6 +17,8 @@ jobs:
             os: macos-latest
           - env: windows-64
             os: windows-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/.github/workflows/deploy_prerelease.yml b/.github/workflows/deploy_prerelease.yml
@@ -5,10 +5,10 @@ on:
 jobs:
   github:
     name: Publish GitHub
-    permissions:
-      contents: write
     environment: GITHUB_PRE_RELEASE
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
@@ -6,6 +6,8 @@ jobs:
   check_version_bump:
     name: Check version bump
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -34,6 +36,8 @@ jobs:
     needs: check_version_bump
     environment: CRATES_IO
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -51,10 +55,10 @@ jobs:
   github:
     name: Publish GitHub
     needs: crates_io
-    permissions:
-      contents: write
     environment: GITHUB_RELEASE
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
