From 6801ce8cc7c17345f0ee231edcf4872ddac92234 Mon Sep 17 00:00:00 2001 From: Jen Hamon Date: Fri, 10 Jul 2026 15:18:58 -0400 Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions in workflow Add a top-level `permissions: contents: read` block so GITHUB_TOKEN is scoped to read-only instead of the repo/org default. Both jobs only read the repo (checkout, install, lint, typecheck, test, audit), so no job needs write access. Resolves the two open code-scanning alerts (actions/missing-workflow-permissions). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 519c314..49bf908 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,11 @@ on: pull_request: branches: [main] +# Least-privilege GITHUB_TOKEN: every job here only reads the repo (checkout, +# install, lint, typecheck, test, audit). Widen per-job if one ever needs more. +permissions: + contents: read + # Cancel superseded runs on the same ref (e.g. rapid pushes to a PR). concurrency: group: ci-${{ github.workflow }}-${{ github.ref }}