diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c697828..df63c876 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: {} + jobs: build-and-test-native: runs-on: ${{ matrix.operating-system }} diff --git a/.github/workflows/ci_nix.yml b/.github/workflows/ci_nix.yml index 41386752..f5fed6b0 100644 --- a/.github/workflows/ci_nix.yml +++ b/.github/workflows/ci_nix.yml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: {} + jobs: build-and-test-nix: strategy: diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index fe38caad..f1a52539 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -7,22 +7,24 @@ on: workflow_dispatch: -permissions: - contents: read - pages: write - id-token: write - # this cancels workflows currently in progress if you start a new one concurrency: group: "pages" cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: + contents: read + jobs: deploy: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-24.04 + permissions: + pages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/test_latest_release.yml b/.github/workflows/test_latest_release.yml index 64b1c4cb..adddebbe 100644 --- a/.github/workflows/test_latest_release.yml +++ b/.github/workflows/test_latest_release.yml @@ -6,6 +6,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: {} + jobs: test-latest-release: runs-on: [ubuntu-22.04]