Skip to content

fix: restrict GITHUB_TOKEN to read-only permissions in CI workflow#30

Merged
bushidocodes merged 1 commit into
masterfrom
claude/clever-chaplygin-1b3c05
Jun 20, 2026
Merged

fix: restrict GITHUB_TOKEN to read-only permissions in CI workflow#30
bushidocodes merged 1 commit into
masterfrom
claude/clever-chaplygin-1b3c05

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

  • Adds permissions: contents: read at the workflow level in .github/workflows/ci.yml
  • Resolves CodeQL alert #2: missing explicit permissions block on the GITHUB_TOKEN
  • The CI job only checks out code and runs Maven tests, so contents: read is the minimal required permission

Test plan

🤖 Generated with Claude Code

Adds an explicit `permissions: contents: read` block to satisfy the
principle of least privilege and resolve CodeQL alert #2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit 25330d9 into master Jun 20, 2026
4 checks passed
@bushidocodes bushidocodes deleted the claude/clever-chaplygin-1b3c05 branch June 20, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant