Set appropriate permissions to all Github Actions workflows (#1976)

iMicknl · github-advanced-security[bot] · Copilot · web-flow · commit 13333556ee09 · 2026-04-06T22:25:46.000+02:00
Potential fix for [https://github.com/iMicknl/python-overkiz-api/security/code-scanning/19](https://github.com/iMicknl/python-overkiz-api/security/code-scanning/19) In general, the fix is to explicitly declare a `permissions` block in the workflow, restricting the `GITHUB_TOKEN` to the minimum scope required. For this test workflow, read-only access to repository contents is sufficient, so `contents: read` at the top level is appropriate. This documents the intended permissions, avoids accidental write access if organization defaults are broad, and applies to all jobs that do not override permissions. The best concrete fix here is to add a root-level `permissions:` block just after the `name: test` line in `.github/workflows/test.yml`. This will apply `contents: read` to the entire workflow, including the `pytest` job. No existing steps need to be changed, and no additional imports or actions are required because `actions/checkout` and the other used actions work with read-only contents. Only this YAML file needs updating, and the change is limited to inserting the new `permissions` section. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,5 +1,8 @@
 name: lint
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -1,4 +1,7 @@
 name: PR Labeler
+permissions:
+  contents: read
+  pull-requests: write
 on:
   pull_request:
     types: [opened]
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
     steps:
       - name: Update release draft
         uses: release-drafter/release-drafter@v7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
