fix: remove npm-publish.yml and harden CI workflow security

DevForge Engineer · DevForge Engineer · commit a2c4c460fc93 · 2026-05-18T07:05:44.000-04:00
- Remove npm-publish.yml (wrong-language workflow for Python repo)
- Add persist-credentials: false to all checkout steps (ci, publish, pages)
- Add top-level permissions: contents: read to ci.yml
- Update pages.yml checkout from v4 to v6
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -15,6 +18,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
@@ -30,4 +35,3 @@ jobs:
       - name: Run tests
         run: |
           python -m pytest tests/ -v --cov=src --cov-report=term-missing
-
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -18,7 +18,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Pages
         uses: actions/configure-pages@v5
       - name: Build with Jekyll
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -22,6 +22,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.11
         uses: actions/setup-python@v6
