From 9743a087f305531ee32b1bfd4a2cde2e7a5bb31e Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Sat, 18 Apr 2026 21:38:14 -0400 Subject: [PATCH] ci: add explicit least-privilege permissions to workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL (actions/missing-workflow-permissions, medium) flagged the workflow for relying on the repository's default GITHUB_TOKEN scopes, which can be broader than the workflow needs. Declares `permissions: contents: read` at the top level (only checkout needs write — and CI doesn't push). Jobs that need extra scopes (e.g. PyPI publish with id-token: write) override at the job level. Part of org-wide CodeQL hygiene sweep — same one-line addition in cycles-server, cycles-server-admin, cycles-server-events, cycles-dashboard, cycles-client-python, cycles-spring-boot-starter. --- .github/workflows/ci.yml | 3 +++ .github/workflows/python-publish.yml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2b54628..f53a5bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: ci: uses: runcycles/.github/.github/workflows/ci-python.yml@main diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 8286fc0..d5d9b51 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -15,6 +15,10 @@ on: - testpypi - pypi +# Default least-privilege; publish-* jobs override with id-token: write. +permissions: + contents: read + jobs: build: name: Build distributions