Theme: Security
Problem
.github/workflows/ci.yml declares no permissions: block, so GITHUB_TOKEN is granted the repository/organization default scopes for both jobs (build-and-test and audit). GitHub code scanning flags this as two open alerts:
Neither job needs write access — they only checkout, install, lint, typecheck, test, and run npm audit.
Proposed fix
Add an explicit top-level least-privilege block:
permissions:
contents: read
Widen per-job only if a future job needs more. Confirm CodeQL re-scans clean after merge.
Acceptance criteria
ci.yml sets least-privilege permissions (top level contents: read).
- Both code-scanning alerts move to fixed/closed after the workflow runs on the merge commit.
- CI stays green.
Blast radius
safe
Dependencies
None.
Theme: Security
Problem
.github/workflows/ci.ymldeclares nopermissions:block, soGITHUB_TOKENis granted the repository/organization default scopes for both jobs (build-and-testandaudit). GitHub code scanning flags this as two open alerts:actions/missing-workflow-permissionsatci.yml:16(build-and-test)actions/missing-workflow-permissionsatci.yml:50(audit)Neither job needs write access — they only checkout, install, lint, typecheck, test, and run
npm audit.Proposed fix
Add an explicit top-level least-privilege block:
Widen per-job only if a future job needs more. Confirm CodeQL re-scans clean after merge.
Acceptance criteria
ci.ymlsets least-privilegepermissions(top levelcontents: read).Blast radius
safeDependencies
None.