feat: tighten actions security

yeojz · yeojz · commit 74e5af5f26b7 · 2026-01-31T19:56:24.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - "package.json"
 
+permissions:
+  contents: read
+
 jobs:
   publish-dry-run:
     if: "${{ github.event_name == 'workflow_dispatch' || startsWith(github.event.head_commit.message, 'chore: release v') }}"
@@ -84,6 +87,9 @@ jobs:
     if: needs.publish-dry-run.outputs.should_publish == 'true'
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -12,15 +12,15 @@ on:
           - minor
           - major
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   version:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     environment: test
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
       - uses: actions/checkout@v4
         with:
