From 0b1c51b2c6a4afbd4ef1ef010b4fc99dd9d7ecc8 Mon Sep 17 00:00:00 2001 From: Pinecone Founding Engineer Date: Sat, 11 Jul 2026 16:07:20 -0400 Subject: [PATCH] ci: add least-privilege workflow permissions Resolves CodeQL actions/missing-workflow-permissions alerts (#6, #12, #13). Both workflows are read-only w.r.t. this repo: - pr.yml: build / integration-test / cleanup only read the repo. - build-and-publish-docs.yml: pushes to the sdk-docs repo via SSH_DEPLOY_KEY. Set contents: read on both. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/build-and-publish-docs.yml | 5 +++++ .github/workflows/pr.yml | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/build-and-publish-docs.yml b/.github/workflows/build-and-publish-docs.yml index dcb35d65..00f2a5fa 100644 --- a/.github/workflows/build-and-publish-docs.yml +++ b/.github/workflows/build-and-publish-docs.yml @@ -7,6 +7,11 @@ on: SSH_DEPLOY_KEY: required: true +# Docs are pushed to the sdk-docs repo via SSH_DEPLOY_KEY, not GITHUB_TOKEN, +# so this workflow only needs to read its own repo. +permissions: + contents: read + jobs: build-and-deploy-documentation: runs-on: ubuntu-latest diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 9acfb84c..522bea5c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -7,6 +7,10 @@ on: branches: - main +# Least-privilege default: build, integration tests, and cleanup only read the repo. +permissions: + contents: read + jobs: build: strategy: