Skip to content

fix: add explicit permissions to CI workflow#23

Merged
bushidocodes merged 1 commit into
masterfrom
claude/clever-wescoff-afbc88
Jun 20, 2026
Merged

fix: add explicit permissions to CI workflow#23
bushidocodes merged 1 commit into
masterfrom
claude/clever-wescoff-afbc88

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

  • Adds permissions: contents: read at the top-level of .github/workflows/ci.yml
  • This applies least-privilege token scope to both the notebook and shell-lint jobs, which only need to checkout code

Why

GitHub's code scanning flagged two open actions/missing-workflow-permissions warnings (alerts #3 and #4). Without explicit permissions, workflow jobs inherit the default GITHUB_TOKEN scope, which is broader than necessary and violates least-privilege best practice.

Reviewer notes

No functional change — only the token permissions are narrowed. Both jobs only call actions/checkout and run local scripts, so contents: read is the correct minimal scope.

🤖 Generated with Claude Code

… alerts

Adds `permissions: contents: read` at the workflow level so that both
jobs run with least-privilege rather than the default broad token scope.
Resolves GitHub code scanning alerts #3 and #4.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit db469b8 into master Jun 20, 2026
5 checks passed
@bushidocodes bushidocodes deleted the claude/clever-wescoff-afbc88 branch June 20, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant