From 638fa2858c4a205e29394833df3d4d0b11b23d31 Mon Sep 17 00:00:00 2001
From: zhangshaoyong <614096046@qq.com>
Date: Fri, 31 Oct 2025 17:41:12 +0800
Subject: [PATCH 1/2] Update GITHUB_TOKEN permissions in CI workflow

Restrict minimum necessary permissions for GITHUB_TOKEN.
---
 .github/workflows/maxflow-ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/maxflow-ci.yml b/.github/workflows/maxflow-ci.yml
index 1cabcfc..26631de 100644
--- a/.github/workflows/maxflow-ci.yml
+++ b/.github/workflows/maxflow-ci.yml
@@ -4,6 +4,11 @@ on:
   push:
     branches: [master]
   pull_request:
+  
+# Added: Restrict minimum necessary permissions for GITHUB_TOKEN
+permissions:
+  contents: read  # Only allow reading repository content
+  actions: read   # Only allow reading workflow information
 
 jobs:
   test:

From dc65f311355fc9c072cd434996f4d0bf223bd0d5 Mon Sep 17 00:00:00 2001
From: zhangshaoyong <614096046@qq.com>
Date: Fri, 31 Oct 2025 17:48:24 +0800
Subject: [PATCH 2/2] Update GitHub Actions workflow for deployment

By adding permissions: { contents: read } at the top level, the permission scope of GITHUB_TOKEN is restricted. It only retains the necessary permission to read repository content (used for the actions/checkout step to pull code). Authentication for deployment to PyPI is handled via secrets.PYPI, and no additional permissions from the GitHub token are required, which complies with the principle of least privilege.
---
 .github/workflows/maxflow-deployment.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/maxflow-deployment.yml b/.github/workflows/maxflow-deployment.yml
index b7b4036..307f02a 100644
--- a/.github/workflows/maxflow-deployment.yml
+++ b/.github/workflows/maxflow-deployment.yml
@@ -4,6 +4,10 @@ on:
   push:
     tags: 'v[0-9]+*'
 
+# Restrict minimum necessary permissions for GITHUB_TOKEN
+permissions:
+  contents: read  # Required for checking out repository code
+
 jobs:
   deploy-sdist:
     name: Deploy source distribution
@@ -18,13 +22,13 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: '3.10'
-      - name: Install cibuildwheel
+      - name: Install build tools
         run: |
           python -m pip install --upgrade pip
           python -m pip install build
-      - name: Build sdist
+      - name: Build source distribution
         run: python -m build --sdist
-      - name: Deploy sdist
+      - name: Deploy to PyPI
         run: |
           python3 -m pip install twine
           python3 -m twine upload --skip-existing dist/*
@@ -55,7 +59,7 @@ jobs:
           python -m pip install cibuildwheel
       - name: Build wheels
         run: python3 -m cibuildwheel --output-dir wheelhouse
-      - name: Deploy
+      - name: Deploy wheels to PyPI
         run: |
           python3 -m pip install twine
           python3 -m twine upload --skip-existing wheelhouse/*.whl