ci: consolidate permissions in workflows (#88)

Fixes #86

.github/workflows/codeql.yml

@@ -1,14 +1,14 @@
 # Ref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning
 name: CodeQL
 
-permissions:
-  contents: read
-
 on:
   push:
     branches: [main]
   pull_request:
-  workflow_dispatch:
+  workflow_dispatch: # run manually from actions tab
+
+# Set permissions at the job level.
+permissions: {}
 
 jobs:
   analyze:

.github/workflows/docs.yml

@@ -4,15 +4,14 @@ on:
   release:
     types: [created]
   workflow_call:
-  # run manually from actions tab
-  workflow_dispatch:
+  workflow_dispatch: # run manually from actions tab
+
+# Set permissions at the job level.
+permissions: {}
 
 env:
   PYTHONUNBUFFERED: 1
 
-permissions:
-  contents: read
-
 jobs:
   docs:
     # Disables this workflow from running in a repository that is not part of the indicated organization/user

.github/workflows/label.yml

@@ -7,10 +7,10 @@ on:
     paths:
     - .github/labels.yml
     - .github/workflows/label.yml
-  workflow_dispatch:
+  workflow_dispatch: # run manually from actions tab
 
-permissions:
-  contents: read
+# Set permissions at the job level.
+permissions: {}
 
 jobs:
   label:

.github/workflows/main.yml

@@ -8,13 +8,13 @@ concurrency:
   group: ci-${{ github.head_ref }}
   cancel-in-progress: true
 
+# Set permissions at the job level.
+permissions: {}
+
 env:
   PYTHONUNBUFFERED: 1
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
-
 jobs:
   test:
     uses: ./.github/workflows/test.yml
@@ -23,6 +23,8 @@ jobs:
     # disables this workflow from running in a repository that is not part of the indicated organization/user
     if: github.repository_owner == 'afuetterer'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
     - test
     steps:

.github/workflows/pr.yml

@@ -12,13 +12,13 @@ concurrency:
   group: pr-${{ github.head_ref }}
   cancel-in-progress: true
 
+# Set permissions at the job level.
+permissions: {}
+
 env:
   PYTHONUNBUFFERED: 1
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
-
 jobs:
   test:
     uses: ./.github/workflows/test.yml

.github/workflows/stale.yml

@@ -7,8 +7,8 @@ on:
   - cron: 0 0 * * 0
   workflow_dispatch: # run manually from actions tab
 
-permissions:
-  contents: read
+# Set permissions at the job level.
+permissions: {}
 
 jobs:
   stale:

.github/workflows/test.yml

@@ -3,13 +3,13 @@ name: Test
 on:
   workflow_call:
 
+# Set permissions at the job level.
+permissions: {}
+
 env:
   PYTHONUNBUFFERED: 1
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
-
 jobs:
   test:
     name: Python ${{ matrix.python-version }}

.github/workflows/upgrade-requirements.yml

@@ -10,8 +10,8 @@ on:
   - cron: 0 0 1 * *
   workflow_dispatch: # run manually from actions tab
 
-permissions:
-  contents: read
+# Set permissions at the job level.
+permissions: {}
 
 jobs:
   upgrade: