adjust GitHub action permissions

.github/workflows/_build.yaml

@@ -8,9 +8,6 @@
 
 name: Build
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -21,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}

.github/workflows/_build_doc.yaml

@@ -7,9 +7,6 @@
 
 name: Build Doc
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -20,6 +17,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}

.github/workflows/_codecov.yaml

@@ -8,9 +8,6 @@
 
 name: CodeCov
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -21,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 concurrency:
   group: codecov-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/_codeql.yaml

@@ -15,6 +15,12 @@ name: CodeQL
 on:
   workflow_call:
 
+# Don't change this permissions. These must match those of the analyze job.
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/_pre_commit.yaml

@@ -7,12 +7,11 @@
 
 name: Pre-Commit
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   Pre-Commit:
     runs-on: ubuntu-latest

.github/workflows/_pypi_publish.yaml

@@ -9,9 +9,6 @@
 
 name: PyPI Publish
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -22,6 +19,8 @@ on:
       API_TOKEN:
         required: true
 
+permissions: read-all
+
 jobs:
   PyPI-Publish:
     name: Upload to ${{ inputs.REPOSITORY_URL }}

.github/workflows/_test.yaml

@@ -7,9 +7,6 @@
 
 name: Test Spot
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -20,6 +17,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Test:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}