Update some permissions.

johnbillion · Dec 10, 2024 · b24c2bf · b24c2bf
1 parent 13c5538
commit b24c2bf
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 13 deletions.
diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
@@ -29,12 +29,13 @@ on:
       - 'docker-compose.yml'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: WP ${{ matrix.wp }}
+    permissions:
+      contents: read
     strategy:
       # See the following for PHP compatibility of WordPress versions:
       # https://make.wordpress.org/core/handbook/references/php-compatibility-and-wordpress-versions/

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,12 +7,13 @@ on:
       - 'release'
   workflow_dispatch:
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   build:
     name: Build
+    permissions:
+      contents: write
     uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-build.yml@trunk
     with:
       node: false

diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -27,12 +27,13 @@ on:
       - 'phpstan.neon.dist'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: ${{ matrix.label }}
+    permissions:
+      contents: read
     uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-coding-standards.yml@trunk
     strategy:
       matrix:

diff --git a/.github/workflows/deploy-assets.yml b/.github/workflows/deploy-assets.yml
@@ -6,12 +6,13 @@ on:
     branches:
       - deploy
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   wordpress:
     name: WordPress.org
+    permissions:
+      contents: read
     uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-deploy-assets.yml@trunk
     with:
       node: false

diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml
@@ -13,11 +13,7 @@ on:
 
 concurrency: WordPress.org
 
-permissions:
-  attestations: write
-  contents: read
-  id-token: write
-  issues: write
+permissions: {}
 
 jobs:
   deploy:
@@ -34,6 +30,7 @@ jobs:
     secrets:
       WPORG_SVN_USERNAME: ${{ secrets.WPORG_SVN_USERNAME }}
       WPORG_SVN_PASSWORD: ${{ secrets.WPORG_SVN_PASSWORD }}
+
   attest:
     name: Generate attestation
     runs-on: ubuntu-latest

diff --git a/.github/workflows/nightly-tests.yml b/.github/workflows/nightly-tests.yml
@@ -21,9 +21,13 @@ on:
       - '.github/workflows/nightly-tests.yml'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   acceptance:
     name: Nightly ${{ matrix.label }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         label: