From 365ef8be80d2a1d49711475ecd5ff4e18d69a8f7 Mon Sep 17 00:00:00 2001 From: Alb3e3 <74142887+Alb3e3@users.noreply.github.com> Date: Sat, 27 Jun 2026 13:56:37 +0200 Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions Add a workflow-level `permissions: { contents: read }` block. The affected workflow(s) only build, test, and/or fuzz the project; no job writes to the repository or other GitHub resources, so read-only is the correct least-privilege scope for the default GITHUB_TOKEN. --- .github/workflows/dist.yaml | 3 +++ .github/workflows/main.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/dist.yaml b/.github/workflows/dist.yaml index 45a00e21..bd7b6b97 100644 --- a/.github/workflows/dist.yaml +++ b/.github/workflows/dist.yaml @@ -4,6 +4,9 @@ on: push: branches: [ release/* ] +permissions: + contents: read + jobs: dist: runs-on: ubuntu-latest diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bd3f87bb..54a539f2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: