From 91bd47a8fbad3fbd2379009518459d1e3fa91d3d Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Fri, 29 May 2026 06:40:42 -0400
Subject: [PATCH] security: add least-privilege permissions to release
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves CodeQL actions/missing-workflow-permissions MEDIUM alerts in
release.yml (jobs: release, bump-modules) and module-release.yml
(jobs: prepare-release, release-module).

Top-level `permissions: {}` added to both files to deny all scopes by
default.  Each job is granted only the minimum scopes its steps require:

release.yml / release:
  contents: write      — gh release create, upload asset, git push branch (module-path PR)
  pull-requests: write — gh pr create for v2+ module-path update

release.yml / bump-modules:
  contents: write      — callee (auto-bump-modules) commits, pushes, merges
  pull-requests: write — callee creates and merges bump PR
  actions: read        — callee reads workflow run status (mirrors callee declaration)
  checks: write        — callee writes check results (mirrors callee declaration)

module-release.yml / prepare-release:
  contents: read       — checkout + git tag list + find modules (read-only)

module-release.yml / release-module:
  contents: write      — gh release create, git push origin "$TAG", git push branch
  pull-requests: write — gh pr create for v2+ module-path update

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/module-release.yml |  7 +++++++
 .github/workflows/release.yml        | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/.github/workflows/module-release.yml b/.github/workflows/module-release.yml
index e773ee27..09be3dec 100644
--- a/.github/workflows/module-release.yml
+++ b/.github/workflows/module-release.yml
@@ -44,9 +44,13 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read       # checkout repository to detect module changes and list modules
     outputs:
       modules: ${{ steps.get-modules.outputs.modules }}
     steps:
@@ -104,6 +108,9 @@ jobs:
     needs: prepare-release
     runs-on: ubuntu-latest
     if: needs.prepare-release.outputs.modules && needs.prepare-release.result == 'success'
+    permissions:
+      contents: write      # create GitHub release, push tags, push branch for module-path PR
+      pull-requests: write # create PR for module path update (v2+ scenario)
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 020571cf..7515c497 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,9 +41,14 @@ on:
         description: 'Version tag produced by the release job'
         value: ${{ jobs.release.outputs.released_version }}
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # create GitHub release, upload release asset, push branch for module-path PR
+      pull-requests: write # create PR for module path update (v2+ scenario)
     outputs:
       released_version: ${{ steps.version.outputs.next_version }}
       core_changed: ${{ steps.detect.outputs.core_changed }}
@@ -440,6 +445,11 @@ jobs:
   bump-modules:
     needs: release
     if: needs.release.result == 'success' && needs.release.outputs.core_changed == 'true' && inputs.skipModuleBump != true
+    permissions:
+      contents: write      # callee (auto-bump-modules) commits, pushes branch, merges PR
+      pull-requests: write # callee creates and merges the bump PR
+      actions: read        # callee reads workflow run status
+      checks: write        # callee writes check results
     uses: ./.github/workflows/auto-bump-modules.yml
     with:
       coreVersion: ${{ needs.release.outputs.released_version }}