ci/publish: tighten permissions

hynek · hynek · commit 3187b01d390f · 2024-10-31T06:56:01.000+01:00
diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
@@ -10,26 +10,26 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  attestations: write
-  contents: read
-  id-token: write
 
 env:
   FORCE_COLOR: "1" # Make tools pretty.
   PIP_DISABLE_PIP_VERSION_CHECK: "1"
   PIP_NO_PYTHON_VERSION_WARNING: "1"
 
+
 jobs:
   # Always build & lint package.
   build-package:
     name: Build & verify package
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
         with:
@@ -43,6 +43,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-package
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - name: Download packages built by build-and-inspect-python-package
         uses: actions/download-artifact@v4
