actions: permissions

ThisAMJ · ThisAMJ · commit 15c29b502b79 · 2025-05-07T11:28:28.000+10:00
principle of least privilege. still need to figure out codeql before merge
or remove it and pray we don't add any vulnerabilities
diff --git a/.github/workflows/CD.yml b/.github/workflows/CD.yml
@@ -4,10 +4,15 @@ on:
   push:
     tags: '*'
 
+permissions:
+  contents: read
+
 jobs:
   build-lin:
     name: Linux Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -48,6 +53,8 @@ jobs:
   build-win:
     name: Windows Build
     runs-on: windows-2019
+    permissions:
+      contents: write
     env:
       POWERSHELL_TELEMETRY_OPTOUT: 1
     steps:
@@ -100,6 +107,8 @@ jobs:
     if: github.repository == 'p2sr/SourceAutoRecord'
     needs: [build-lin, build-win]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Get Release Version
         id: get_release
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -16,10 +16,15 @@ on:
       - 'Makefile'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-lin:
     name: Linux Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -60,6 +65,8 @@ jobs:
   build-win:
     name: Windows Build
     runs-on: windows-2019
+    permissions:
+      contents: write
     env:
       POWERSHELL_TELEMETRY_OPTOUT: 1
     steps:
