ci: use permissionless runner token by default

Runner token permissions should be explicitly declared at the job-level

Signed-off-by: Seth Flynn <getchoo@tuta.io>
This commit is contained in:
Seth Flynn 2026-02-02 16:57:38 -05:00
parent e0ad6a2b3b
commit add9e55493
No known key found for this signature in database
GPG key ID: D31BD0D494BBEE86
7 changed files with 30 additions and 9 deletions

View file

@ -72,6 +72,8 @@ on:
type: string
default: Debug
permissions: {}
jobs:
build:
name: Build (${{ matrix.artifact-name }})
@ -79,6 +81,7 @@ jobs:
environment: ${{ inputs.environment || '' }}
permissions:
contents: read
# Required for Azure Trusted Signing
id-token: write
# Required for vcpkg binary cache