ci: tweak workflow permissions more (#2026)

* ci: fix clear cache workflow permissions

* fix perms for deployment/nightly

* more finely scope other tasks

* fix nightly

* change name

* fix docs permissions

.github/workflows/bsd_vm_check.yml

@@ -1,5 +1,7 @@
 # Run BSD VM jobs with manually-implemented retries.
 
+name: "bsd vm check"
+
 on:
   workflow_call:
     inputs:

.github/workflows/build_releases.yml

@@ -10,6 +10,8 @@
 # TODO: Break this up into scripts instead.
 # TODO: Trigger this in CI as well if this file changes, so I don't have to spam nightly builds.
 
+name: "build releases"
+
 on:
   workflow_call:
     inputs:

.github/workflows/clear_workflow_cache.yml

@@ -19,6 +19,8 @@ permissions: {}
 
 jobs:
   clear-cache:
+    permissions:
+      actions: write
     if: ${{ github.event_name != 'pull_request' || ! github.event.pull_request.head.repo.fork }} # If it is a PR, only if not a fork
     runs-on: ubuntu-24.04
     env:

.github/workflows/deployment.yml

@@ -12,10 +12,7 @@ on:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
 
-permissions:
-  id-token: write
-  contents: read
-  attestations: write
+permissions: {}
 
 env:
   CARGO_INCREMENTAL: 0
@@ -45,6 +42,10 @@ jobs:
 
   build-release:
     needs: [initialize]
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     uses: ./.github/workflows/build_releases.yml
     with:
       caller: "deployment"
@@ -97,6 +98,8 @@ jobs:
     runs-on: ubuntu-24.04
     needs: [initialize, generate-choco, build-release]
     environment: production
+    permissions:
+      contents: write
     steps:
       - name: Set release version
         shell: bash

.github/workflows/docs.yml

@@ -1,4 +1,4 @@
-# Workflow to deploy mkdocs documentation.
+# Workflow to deploy nightly mkdocs documentation.
 
 name: docs
 
@@ -18,9 +18,7 @@ on:
       - "docs/**"
       - ".github/workflows/docs.yml"
 
-permissions:
-  pages: write
-  id-token: write
+permissions: {}
 
 env:
   # Assign commit authorship to official GitHub Actions bot when pushing to the `gh-pages` branch:
@@ -31,6 +29,8 @@ jobs:
   build-documentation:
     name: Build and deploy docs
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -56,5 +56,8 @@ jobs:
 
   publish-gh-pages:
     needs: [build-documentation]
+    permissions:
+      pages: write
+      id-token: write
     uses: ./.github/workflows/publish_github_pages.yml
     secrets: inherit

.github/workflows/nightly.yml

@@ -14,11 +14,7 @@ on:
         required: false
         type: boolean
 
-permissions:
-  id-token: write
-  contents: read
-  attestations: write
-  pages: write
+permissions: {}
 
 env:
   CARGO_INCREMENTAL: 0
@@ -53,6 +49,10 @@ jobs:
   build-release:
     needs: initialize-job
     if: ${{ needs.initialize-job.outputs.should_skip != 'true' }}
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     uses: ./.github/workflows/build_releases.yml
     with:
       caller: "nightly"
@@ -62,6 +62,8 @@ jobs:
     name: upload-release
     needs: build-release
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     outputs:
       TAG_NAME: ${{ steps.tag_release_name.outputs.TAG_NAME }}
     steps:
@@ -152,6 +154,10 @@ jobs:
   docs:
     needs: [initialize-job, upload-release]
     if: ${{ needs.initialize-job.outputs.should_skip != 'true' && github.event.inputs.isMock != 'true' }}
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
     uses: ./.github/workflows/docs.yml
     secrets: inherit
     with:

.github/workflows/post_release.yml

@@ -13,9 +13,7 @@ on:
         description: "Which tag to deploy as:"
         required: true
 
-permissions:
-  pages: write
-  id-token: write
+permissions: {}
 
 env:
   # Assign commit authorship to official GitHub Actions bot when pushing to the `gh-pages` branch:
@@ -48,6 +46,8 @@ jobs:
   docs:
     needs: [initialize]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - name: Set release version
         shell: bash
@@ -80,6 +80,9 @@ jobs:
 
   publish-gh-pages:
     needs: [docs]
+    permissions:
+      pages: write
+      id-token: write
     uses: ./.github/workflows/publish_github_pages.yml
     secrets: inherit
 

.github/workflows/publish_github_pages.yml

@@ -8,6 +8,8 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04