Skip to content

ci: set least-privilege GITHUB_TOKEN permissions in workflow #24

Description

@jhamon

Theme: Security

Problem

.github/workflows/ci.yml declares no permissions: block, so GITHUB_TOKEN is granted the repository/organization default scopes for both jobs (build-and-test and audit). GitHub code scanning flags this as two open alerts:

Neither job needs write access — they only checkout, install, lint, typecheck, test, and run npm audit.

Proposed fix

Add an explicit top-level least-privilege block:

permissions:
  contents: read

Widen per-job only if a future job needs more. Confirm CodeQL re-scans clean after merge.

Acceptance criteria

  • ci.yml sets least-privilege permissions (top level contents: read).
  • Both code-scanning alerts move to fixed/closed after the workflow runs on the merge commit.
  • CI stays green.

Blast radius

safe

Dependencies

None.

Metadata

Metadata

Assignees

Labels

maintenanceRepo maintenance sweep

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions