diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4540fb5af..527f26d35 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Lint on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index ad66117b1..7ee76c4ac 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -7,8 +7,14 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR if: github.repository == 'python-pillow/Pillow' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/test-cygwin.yml b/.github/workflows/test-cygwin.yml index 2e8fc9c09..417b1f212 100644 --- a/.github/workflows/test-cygwin.yml +++ b/.github/workflows/test-cygwin.yml @@ -99,6 +99,8 @@ jobs: name: Cygwin Python 3.${{ matrix.python-minor-version }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Cygwin Test Successful diff --git a/.github/workflows/test-docker.yml b/.github/workflows/test-docker.yml index 2b4dc6b52..a78972607 100644 --- a/.github/workflows/test-docker.yml +++ b/.github/workflows/test-docker.yml @@ -2,6 +2,9 @@ name: Test Docker on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: @@ -82,6 +85,8 @@ jobs: name: ${{ matrix.docker }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Docker Test Successful diff --git a/.github/workflows/test-mingw.yml b/.github/workflows/test-mingw.yml index 7b5cc8a97..7ddb71e1f 100644 --- a/.github/workflows/test-mingw.yml +++ b/.github/workflows/test-mingw.yml @@ -2,6 +2,9 @@ name: Test MinGW on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -77,6 +80,8 @@ jobs: CODECOV_NAME: ${{ matrix.name }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: MinGW Test Successful diff --git a/.github/workflows/test-valgrind.yml b/.github/workflows/test-valgrind.yml index 21a2b469e..013e5ca4a 100644 --- a/.github/workflows/test-valgrind.yml +++ b/.github/workflows/test-valgrind.yml @@ -13,6 +13,9 @@ on: - "**.h" workflow_dispatch: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 358461b38..b9accfdf9 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -2,6 +2,9 @@ name: Test Windows on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -189,6 +192,8 @@ jobs: path: dist\*.whl success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Windows Test Successful diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d41f4b571..5614ad5f2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: Test on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: @@ -109,6 +112,8 @@ jobs: CODECOV_NAME: ${{ matrix.os }} Python ${{ matrix.python-version }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Test Successful diff --git a/.github/workflows/tidelift.yml b/.github/workflows/tidelift.yml index 9a3192f9d..c73f25431 100644 --- a/.github/workflows/tidelift.yml +++ b/.github/workflows/tidelift.yml @@ -12,6 +12,9 @@ on: - ".github/workflows/tidelift.yml" workflow_dispatch: +permissions: + contents: read + jobs: build: if: github.repository_owner == 'python-pillow'