Skip to content

fix: add explicit read-all permissions to CI workflow#13

Merged
bushidocodes merged 1 commit into
masterfrom
claude/jolly-colden-89e7a1
Jun 20, 2026
Merged

fix: add explicit read-all permissions to CI workflow#13
bushidocodes merged 1 commit into
masterfrom
claude/jolly-colden-89e7a1

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

What changed

Added permissions: read-all at the top-level of .github/workflows/ci.yml.

Why

CodeQL flagged this as alert #2 (Medium severity): Workflow does not contain permissions. Without an explicit permissions block, GitHub Actions workflows inherit the repository's default token permissions — typically write-all. A compromised or malicious third-party action in the job could then use GITHUB_TOKEN to push code, create releases, modify issues, or read secrets it shouldn't have access to.

Declaring permissions: read-all enforces least-privilege: this CI job only needs to check out and read the repository, so no write access is required.

Reviewer notes

  • No functional change to what the workflow does — only the token scope tightens.
  • If a future job needs write access (e.g., to publish artifacts), it should add a scoped permissions block on that specific job rather than widening the top-level grant.

🤖 Generated with Claude Code

Resolves CodeQL alert #2 (Medium) — workflow did not declare permissions,
which means it implicitly inherits write-all repo defaults and could allow
compromised actions to exfiltrate secrets or modify repo state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit 2d361bd into master Jun 20, 2026
4 checks passed
@bushidocodes bushidocodes deleted the claude/jolly-colden-89e7a1 branch June 20, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant