Define minimal permissions for new GitHub workflows (#3147)

4 files changed, 15 insertions, 0 deletions

diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index 265a6c3..ec35e10 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "6 0 * * *"
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel.
 jobs:
@@ -21,6 +24,8 @@ jobs:
 
   call-workflow-release:
     needs: [call-workflow-tarball, call-workflow-ctest]
+    permissions:
+      contents: write # In order to allow tag creation
     uses: ./.github/workflows/release.yml
     with:
       file_base: ${{ needs.call-workflow-tarball.outputs.file_base }}
diff --git a/.github/workflows/h5py.yml b/.github/workflows/h5py.yml
index fb82dc1..63531ed 100644
--- a/.github/workflows/h5py.yml
+++ b/.github/workflows/h5py.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "6 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/netcdf.yml b/.github/workflows/netcdf.yml
index 137e5e5..37041d6 100644
--- a/.github/workflows/netcdf.yml
+++ b/.github/workflows/netcdf.yml
@@ -14,6 +14,9 @@ on:
       - 'COPYING**'
       - '**.md'
 
+permissions:
+  contents: read
+
 # Using concurrency to cancel any in-progress job or run
 concurrency:
   group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae58434..e79dfd2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,10 @@ on:
         required: true
         type: string
 
+# Minimal permissions to be inherited by any job that doesn't declare its own permissions
+permissions:
+  contents: read
+
 # Previous workflows must pass to get here so tag the commit that created the files
 jobs:
   create-tag: