Skip to content

ci: restrict GITHUB_TOKEN to contents:read (fixes CodeQL alert #2)#12

Merged
bushidocodes merged 1 commit into
masterfrom
claude/elegant-shtern-400444
Jun 20, 2026
Merged

ci: restrict GITHUB_TOKEN to contents:read (fixes CodeQL alert #2)#12
bushidocodes merged 1 commit into
masterfrom
claude/elegant-shtern-400444

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

  • Added permissions: contents: read to the test job in .github/workflows/ci.yml

Why

CodeQL code scanning alert #2 flagged that the CI workflow had no explicit permissions block, meaning the job inherited whatever the repository or organization default is (historically read-write for repos created before Feb 2023). This violates the principle of least privilege.

The test job only checks out code and runs CMake/CTest — it never writes to the repo, creates releases, or interacts with issues/PRs — so contents: read is the minimum sufficient permission.

Reviewer notes

No behavioral change to the CI run itself; this is a security hygiene fix only.

🤖 Generated with Claude Code

Fixes CodeQL code scanning alert #2 — the CI workflow job lacked an
explicit permissions block, which could allow the default GITHUB_TOKEN
to have broader write access than needed. This job only checks out code,
so contents:read is the minimum required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit 3c8f709 into master Jun 20, 2026
4 checks passed
@bushidocodes bushidocodes deleted the claude/elegant-shtern-400444 branch June 20, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant