From 683f44762b14f6a144f0b7801cc080f146d1024f Mon Sep 17 00:00:00 2001
From: Yuval Shavit <dev@yuvalshavit.com>
Date: Sun, 22 Mar 2026 00:40:43 -0400
Subject: [PATCH] tighten gha permissions

---
 .github/workflows/binary-verify.yml       | 2 ++
 .github/workflows/build-release.yml       | 7 ++++---
 .github/workflows/coverage.yml            | 3 +++
 .github/workflows/formatting.yml          | 3 +++
 .github/workflows/list-targets.yml        | 2 ++
 .github/workflows/pr-checks.yml           | 7 +++++--
 .github/workflows/prepare-new-release.yml | 4 +++-
 .github/workflows/readme-checks.yml       | 3 +++
 .github/workflows/release-assets.yml      | 7 ++++---
 .github/workflows/release-publish.yml     | 7 ++++++-
 .github/workflows/rust.yml                | 3 +++
 .github/workflows/system-test.yml         | 3 +++
 12 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/binary-verify.yml b/.github/workflows/binary-verify.yml
index 27304bb6..72f42a13 100644
--- a/.github/workflows/binary-verify.yml
+++ b/.github/workflows/binary-verify.yml
@@ -35,6 +35,7 @@ jobs:
   dispatch-targets:
     needs: list-targets
     runs-on: ubuntu-latest
+    permissions: { }
     outputs:
       windows: ${{ steps.run.outputs.windows }}
       non-windows: ${{ steps.run.outputs.non-windows }}
@@ -139,6 +140,7 @@ jobs:
 
   docker:
     runs-on: ubuntu-latest
+    permissions: { }
     steps:
       - name: Calculate tag
         id: tag
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index 4b7a48fc..3a1edae5 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -28,10 +28,7 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
-# for attestations
 permissions:
-  id-token: write
-  attestations: write
   contents: read
 
 jobs:
@@ -86,6 +83,10 @@ jobs:
 
   build:
     needs: build-targets
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         target: ${{ fromJSON(needs.build-targets.outputs.names) }}
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 2da9b58a..8d7ea151 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index 3ea86786..c36424c3 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [ "main", "feature/*" ]
 
+permissions:
+  contents: read
+
 jobs:
   newlines:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/list-targets.yml b/.github/workflows/list-targets.yml
index a9784516..5ef8a241 100644
--- a/.github/workflows/list-targets.yml
+++ b/.github/workflows/list-targets.yml
@@ -16,6 +16,8 @@ on:
         value: ${{ jobs.list-targets.outputs.rust_target_by_target }}
 
 
+permissions: { }
+
 jobs:
   list-targets:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 7aee313f..ce3c558c 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ "main", "feature/*" ]
 
+permissions:
+  contents: read
+
 jobs:
   semver:
     permissions:
@@ -57,7 +60,7 @@ jobs:
   breaking-change-docs:
     needs: semver
     permissions:
-      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       - name: Fetch PR description
@@ -96,4 +99,4 @@ jobs:
           elif [[ "$has_label" == "false" && "$has_section" == "true" ]]; then
             echo "::error title=breaking-change-docs::PR has '# Breaking change' section in description but is missing 'breaking change' label."
             exit 1
-          fi
\ No newline at end of file
+          fi
diff --git a/.github/workflows/prepare-new-release.yml b/.github/workflows/prepare-new-release.yml
index 266fe3b1..46a26c37 100644
--- a/.github/workflows/prepare-new-release.yml
+++ b/.github/workflows/prepare-new-release.yml
@@ -22,6 +22,9 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   create_draft:
     runs-on: ubuntu-latest
@@ -31,7 +34,6 @@ jobs:
       TAG_NAME: "v${{ github.event.inputs.version_to_release }}"
     permissions:
       contents: write
-      pull-requests: write
 
     steps:
 
diff --git a/.github/workflows/readme-checks.yml b/.github/workflows/readme-checks.yml
index 844f3f08..58b17f01 100644
--- a/.github/workflows/readme-checks.yml
+++ b/.github/workflows/readme-checks.yml
@@ -8,6 +8,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-assets.yml b/.github/workflows/release-assets.yml
index b9782af2..4a59fa00 100644
--- a/.github/workflows/release-assets.yml
+++ b/.github/workflows/release-assets.yml
@@ -22,10 +22,7 @@ on:
         type: string
         required: false
 
-# for attestations in build-release.yml
 permissions:
-  id-token: write
-  attestations: write
   contents: write # needed for viewing and uploading to the draft release
 
 jobs:
@@ -91,6 +88,10 @@ jobs:
 
   build:
     needs: validate
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build-release.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 89c7066c..f33dbe84 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -18,9 +18,14 @@ env:
   DOCKER_RC_TAG: "yshavit/mdq:${{ inputs.version }}-rc"
   DOCKER_PUBLISH_TAG: "yshavit/mdq:${{ inputs.version }}"
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     env:
       GH_TOKEN: ${{ github.token }}
     outputs:
@@ -65,6 +70,7 @@ jobs:
     environment: Docker Hub
     needs: verify
     runs-on: ubuntu-latest
+    permissions: { }
     steps:
 
       - name: Log in to Docker Hub
@@ -172,4 +178,3 @@ jobs:
 
       - name: Publish
         run: cargo publish
-
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index fd71e902..aafc892a 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -9,6 +9,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml
index d1e88c2d..8fb44193 100644
--- a/.github/workflows/system-test.yml
+++ b/.github/workflows/system-test.yml
@@ -6,6 +6,9 @@ on:
     branches: [ "main", "feature/*" ]
   workflow_dispatch: { }
 
+permissions:
+  contents: read
+
 jobs:
   toml-cases:
     runs-on: ubuntu-latest