diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f756a7..d913521 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: pull_request +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/stable-release.yml b/.github/workflows/stable-release.yml index d1b9630..5db23a1 100644 --- a/.github/workflows/stable-release.yml +++ b/.github/workflows/stable-release.yml @@ -8,6 +8,10 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write + issues: write + pull-requests: write outputs: has-new-release: ${{ steps.release.outputs.new_release_published }} tag-name: ${{ steps.release.outputs.new_release_git_tag }} @@ -28,6 +32,8 @@ jobs: publish: runs-on: ubuntu-latest + permissions: + contents: read needs: release if: needs.release.outputs.has-new-release == 'true' steps: