From a05ed2def430350bff6bf851f051d0e5521c7a0e Mon Sep 17 00:00:00 2001 From: Juha Jeronen Date: Fri, 12 Jun 2026 00:10:47 +0300 Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions Add top-level `permissions: contents: read` to every workflow. Without it, jobs inherit the repo-default token scope (often read-write), so a malicious dependency executing during install/build/test on a push to the default branch would hold a write-capable token. Read-only by default denies that; the publish job keeps its own job-level `id-token: write` block (job-level permissions override the top-level default), so trusted-publishing is unaffected. Complements the SHA-pinning: pinning stops untrusted code from running; this limits what it can do if it runs anyway. Fork-PR tokens are already forced read-only by GitHub; this closes the push-triggered path. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 3 +++ .github/workflows/coverage.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d262100..75e7d548 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,9 @@ on: branches: [ master ] workflow_dispatch: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 9d7ac879..17a23c62 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -10,6 +10,9 @@ on: branches: [ master ] workflow_dispatch: +permissions: + contents: read + jobs: codecov: