Skip to content

ci: add least-privilege permissions to CI workflow#40

Merged
bushidocodes merged 1 commit into
masterfrom
claude/frosty-stonebraker-920397
Jun 20, 2026
Merged

ci: add least-privilege permissions to CI workflow#40
bushidocodes merged 1 commit into
masterfrom
claude/frosty-stonebraker-920397

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

Why

GitHub Actions workflows inherit broad default token permissions unless explicitly restricted. CodeQL flagged both jobs (test at line 10 and build at line 18) for not declaring permissions. Since both jobs only need to check out the repository, contents: read is the correct minimum — all other token scopes are denied by default.

Reviewer notes

No functional change to the workflow steps. The GITHUB_TOKEN now has only read access to repository contents, which is all actions/checkout requires.

🤖 Generated with Claude Code

Adds `permissions: contents: read` at the workflow level to satisfy
CodeQL alerts #3 and #4 (\"Workflow does not contain permissions\").
Both jobs only need repo checkout access, so denying all other token
scopes by default is safe and correct.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit 8990947 into master Jun 20, 2026
6 checks passed
@bushidocodes bushidocodes deleted the claude/frosty-stonebraker-920397 branch June 20, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant