From 48e063064c0daeb981160ba92c9f5c57998aca75 Mon Sep 17 00:00:00 2001
From: Marius Merschformann <marius.merschformann@gmail.com>
Date: Tue, 17 Feb 2026 17:38:25 +0100
Subject: [PATCH] Addressing workflow permission security warning

---
 .github/workflows/build.yml   | 53 +++++++++++++++++---------------
 .github/workflows/release.yml |  5 +++
 .github/workflows/static.yml  | 58 +++++++++++++++++------------------
 3 files changed, 62 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0deab9c..e9b4823 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,33 +2,36 @@ name: build
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
-    build:
-        name: "nextplot build, lint & test"
-        runs-on: ubuntu-latest
-        strategy:
-            matrix:
-                # Tests are currently stable only for python 3.11
-                # due to the way we are testing
-                python-version: ["3.11"]
-        steps:
-            - uses: actions/checkout@v4
+  build:
+    name: "nextplot build, lint & test"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Tests are currently stable only for python 3.11
+        # due to the way we are testing
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
 
-            - name: Set up Python ${{ matrix.python-version }}
-              uses: actions/setup-python@v5
-              with:
-                  python-version: ${{ matrix.python-version }}
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
 
-            # Install all development dependencies
-            - name: Install dependencies
-              run: |
-                  python -m pip install --upgrade pip
-                  pip install -r requirements-dev.txt
+      # Install all development dependencies
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
 
-            # Lint with ruff
-            - name: lint with ruff
-              run: ruff check --output-format=github .
+      # Lint with ruff
+      - name: lint with ruff
+        run: ruff check --output-format=github .
 
-            # Run the tests with pytest
-            - name: Test with pytest
-              run: python -m pytest -v -s
+      # Run the tests with pytest
+      - name: Test with pytest
+        run: python -m pytest -v -s
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 31fa29c..47712ea 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ jobs:
   release:
     if: ${{ github.ref_type == 'branch' }}
     uses: nextmv-io/release/.github/workflows/release.yml@develop
+    permissions:
+      contents: write # Required for creating releases and tags
+      pull-requests: write
     with:
       BRANCH: ${{ github.ref_name }}
       REPOSITORY: nextplot
@@ -51,6 +54,8 @@ jobs:
     needs: [release, publish]
     if: ${{ needs.release.outputs.RELEASE_NEEDED == 'true' && needs.release.outputs.SHOULD_NOTIFY_SLACK == 'true' }}
     uses: nextmv-io/release/.github/workflows/notify-slack.yml@develop
+    permissions:
+      contents: read
     with:
       PACKAGE_NAME: nextplot
       VERSION: ${{ needs.release.outputs.VERSION }}
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 78bf3a6..24630a3 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -2,42 +2,42 @@
 name: pages
 
 on:
-    # Runs on pushes to the content branch
-    push:
-        branches: ["content"]
+  # Runs on pushes to the content branch
+  push:
+    branches: ["content"]
 
-    # Allows you to run this workflow manually from the Actions tab
-    workflow_dispatch:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
-    contents: read
-    pages: write
-    id-token: write
+  contents: read
+  pages: write
+  id-token: write
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
-    group: "pages"
-    cancel-in-progress: false
+  group: "pages"
+  cancel-in-progress: false
 
 jobs:
-    # Single deploy job since we're just deploying
-    deploy:
-        environment:
-            name: github-pages
-            url: ${{ steps.deployment.outputs.page_url }}
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
-            - name: Setup Pages
-              uses: actions/configure-pages@v4
-            - name: Upload artifact
-              uses: actions/upload-pages-artifact@v3
-              with:
-                  # Upload content directory
-                  path: "content/"
-            - name: Deploy to GitHub Pages
-              id: deployment
-              uses: actions/deploy-pages@v4
+  # Single deploy job since we're just deploying
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Pages
+        uses: actions/configure-pages@v4
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          # Upload content directory
+          path: "content/"
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4