ci: explicitly define permissions at the job level

.github/workflows/checks.yml

@@ -6,11 +6,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   test-ubuntu:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on Ubuntu
     runs-on: ubuntu-latest
     steps:
@@ -24,6 +27,8 @@ jobs:
 
       - run: make test
   test-macos:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on MacOS
     runs-on: macos-latest
     steps:
@@ -37,6 +42,8 @@ jobs:
 
       - run: make test
   test-windows:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on Windows
     runs-on: windows-latest
     steps:
@@ -50,6 +57,8 @@ jobs:
 
       - run: make test
   golangci-lint:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -66,6 +75,8 @@ jobs:
         with:
           version: v1.55
   go-fmt:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -75,6 +86,8 @@ jobs:
 
       - run: make lint-with-go-fmt
   prettier:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/release.yml

@@ -5,11 +5,14 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   test-ubuntu:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on Ubuntu
     runs-on: ubuntu-latest
     steps:
@@ -23,6 +26,8 @@ jobs:
 
       - run: make test
   test-macos:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on MacOS
     runs-on: macos-latest
     steps:
@@ -36,6 +41,8 @@ jobs:
 
       - run: make test
   test-windows:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     name: Test on Windows
     runs-on: windows-latest
     steps:
@@ -49,6 +56,8 @@ jobs:
 
       - run: make test
   golangci-lint:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -65,6 +74,8 @@ jobs:
         with:
           version: v1.55
   go-fmt:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -74,6 +85,8 @@ jobs:
 
       - run: make lint-with-go-fmt
   prettier:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -86,6 +99,8 @@ jobs:
       - run: npx prettier --prose-wrap always --check .
 
   goreleaser:
+    permissions:
+      contents: write # to create a GitHub release (goreleaser/goreleaser-action)
     runs-on: ubuntu-latest
     needs:
       - test-ubuntu
@@ -94,8 +109,6 @@ jobs:
       - prettier
       - golangci-lint
       - go-fmt
-    permissions:
-      contents: write # to create a GitHub release (goreleaser/goreleaser-action)
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/semantic.yml

@@ -18,14 +18,17 @@ on:
     paths:
       - 'generators/**'
 
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 env:
   VERSION_GENERATOR_PRINT: ${{ inputs.filterResults }}
 
 jobs:
   generate-debian-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -56,6 +59,8 @@ jobs:
           key: ${{ runner.os }}-${{ hashFiles('debian-db.zip') }}
 
   generate-packagist-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -73,6 +78,8 @@ jobs:
           path: pkg/semantic/fixtures/packagist-versions-generated.txt
 
   generate-pypi-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -91,6 +98,8 @@ jobs:
           path: pkg/semantic/fixtures/pypi-versions-generated.txt
 
   generate-rubygems-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -109,6 +118,8 @@ jobs:
           path: pkg/semantic/fixtures/rubygems-versions-generated.txt
 
   generate-maven-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -133,6 +144,8 @@ jobs:
           path: pkg/semantic/fixtures/maven-versions-generated.txt
 
   generate-cran-versions:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -149,6 +162,8 @@ jobs:
           path: pkg/semantic/fixtures/cran-versions-generated.txt
 
   test-semantic:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     runs-on: ubuntu-latest
     needs:
       - generate-debian-versions