Set low top level permissions for workflows and increase where needed instead.

niklasga · niklasga · commit 9d956a896cee · 2025-12-01T14:00:48.000+01:00
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -4,13 +4,15 @@ name: Dependabot auto-merge
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'FortnoxAB/changesets-java'
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
diff --git a/.github/workflows/dependabot-changesets.yml b/.github/workflows/dependabot-changesets.yml
@@ -4,13 +4,15 @@ on:
   pull_request: {}
 
 permissions:
-  pull-requests: read
-  contents: write
+  contents: read
 
 jobs:
   generate-changeset:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'FortnoxAB/changesets-java'
+    permissions:
+      pull-requests: read
+      contents: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
diff --git a/.github/workflows/publish-site-ghpages.yml b/.github/workflows/publish-site-ghpages.yml
