ci(github): set permissions in workflows

remarkablemark · web-flow · commit f16febcb0432 · 2025-11-15T19:32:57.000-05:00
diff --git a/.github/workflows/assign-reviewer.yml b/.github/workflows/assign-reviewer.yml
@@ -1,6 +1,9 @@
 name: Assign Reviewer
 on: pull_request_target
 
+permissions:
+  pull-requests: write
+
 jobs:
   assign-reviewer:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,6 +1,9 @@
 name: build
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -1,6 +1,9 @@
 name: commitlint
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,6 +1,9 @@
 name: lint
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -9,6 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
       - name: Release Please
@@ -19,11 +22,11 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
     permissions:
       contents: read
       id-token: write
-    needs: release-please
-    if: ${{ needs.release-please.outputs.release_created }}
 
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/size-limit.yml b/.github/workflows/size-limit.yml
@@ -3,13 +3,21 @@ on:
   pull_request:
     branches:
       - master
+
+permissions:
+  pull-requests: write
+
 jobs:
   size:
     runs-on: ubuntu-latest
     env:
       CI_JOB_NUMBER: 1
+
     steps:
-      - uses: actions/checkout@v5
-      - uses: andresz1/size-limit-action@v1
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Size Limit
+        uses: andresz1/size-limit-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,6 +1,9 @@
 name: test
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
