TerriaJS · sashashura · Sep 26, 2022 · Sep 26, 2022 · Sep 26, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ env:
 # Controls when the action will run.
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -2,8 +2,15 @@ name: Deploy TerriaMap
 
 on: push
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   deploy:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      statuses: write # to create commit status (ci-deploy.sh)
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -7,8 +7,13 @@ on:
 env:
   NPM_TAG: latest
 
+permissions: {}
 jobs:
   publish:
+    permissions:
+      contents: write # to create and push a tag 
+      actions: read # to list jobs for workflow run (8398a7/action-slack)
+
     name: Publish to NPM
     runs-on: ubuntu-latest