diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index f5dc4ac..df86db9 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,14 +1,20 @@ name: Checks on: - - push - - pull_request + push: + pull_request: + workflow_dispatch: + +# Minimal file-level permissions for checks: read repository contents for linting/tests +permissions: + contents: read jobs: detect-quota: # Probe the hosted runner (same flavor as the original try job) so we # can decide whether to use a hosted runner or fall back to # self-hosted. The job should fail if quota is exhausted. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 251bebc..c0dfbe9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -3,12 +3,13 @@ name: Docker CI on: push: pull_request: + workflow_dispatch: +# Minimize permissions for Docker CI; only allow read access to repo contents +# and package write for pushing images to GHCR. permissions: contents: read packages: write - attestations: write - id-token: write env: REGISTRY: ghcr.io @@ -19,6 +20,7 @@ jobs: # Probe the hosted runner to decide whether to use hosted runners or # fall back to self-hosted. Use the same runner flavor as the original # try job. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a35161..3d85ccf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,10 @@ on: push: branches: - main + workflow_dispatch: +# Minimize default permissions; grant elevated permissions only to the +# `release_please` job below. permissions: contents: write issues: write @@ -19,6 +22,7 @@ jobs: detect-quota: # Probe the hosted runner flavor used by release steps so we can fall # back if necessary. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe