Skip to content

ci: restrict GITHUB_TOKEN to least privilege (contents: read)#33

Merged
bushidocodes merged 1 commit into
masterfrom
claude/nostalgic-faraday-33fd3a
Jun 20, 2026
Merged

ci: restrict GITHUB_TOKEN to least privilege (contents: read)#33
bushidocodes merged 1 commit into
masterfrom
claude/nostalgic-faraday-33fd3a

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

  • Adds permissions: contents: read at the workflow level in ci.yml
  • Fixes CodeQL code-scanning alert #2: Workflow does not contain permissions
  • The test job only checks out code and runs Maven tests — contents: read is the minimum required

Test plan

🤖 Generated with Claude Code

Add explicit `permissions: contents: read` at the workflow level so the
GITHUB_TOKEN scope is locked to what the job actually needs (checkout only).
Fixes CodeQL code-scanning alert #2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit c8ba589 into master Jun 20, 2026
4 checks passed
@bushidocodes bushidocodes deleted the claude/nostalgic-faraday-33fd3a branch June 20, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant