From 7b813719000c800c3ba44bfc5b70532d8469e3a6 Mon Sep 17 00:00:00 2001 From: Mike Nguyen Date: Fri, 15 May 2026 18:25:15 -0700 Subject: [PATCH] Add least-privilege permissions to GitHub Actions workflows CodeQL flagged ci.yml and publish.yml for running with the default GITHUB_TOKEN permissions (rule: "Workflow does not contain permissions", 3 Medium alerts). Added an explicit top-level `permissions: contents: read` to both workflows. Jobs that genuinely need more -- OIDC publishing to PyPI (id-token: write) and creating a GitHub Release (contents: write) -- already declare those in their own per-job permissions blocks, which override the least-privilege default. --- .github/workflows/ci.yml | 4 ++++ .github/workflows/publish.yml | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37da059..f448db3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,10 @@ on: pull_request: branches: [main] +# Least-privilege default for all jobs: they only need to read the repo. +permissions: + contents: read + jobs: test: name: Test py${{ matrix.python-version }} on ${{ matrix.os }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e881d61..15795e8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,6 +9,11 @@ on: tags: - "v*" +# Least-privilege default. Jobs that need more (OIDC publishing to +# PyPI, creating a GitHub Release) escalate in their own permissions block. +permissions: + contents: read + jobs: build: name: Build sdist + wheel