From ae4ad9ec808ceb1b992ba68392b5d61119dcf382 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 6 Mar 2026 02:44:56 +0200
Subject: [PATCH] fix: harden workflow permissions with deny-all top-level and
 least-privilege job scopes (#482)

---
 .github/workflows/action-security.yml     |  8 ++++----
 .github/workflows/build-testing-image.yml |  7 ++++---
 .github/workflows/codeql-new.yml          |  7 +++----
 .github/workflows/dependency-review.yml   |  5 +++--
 .github/workflows/issue-stats.yml         |  3 +--
 .github/workflows/new-release.yml         |  2 +-
 .github/workflows/pr-lint.yml             |  4 +---
 .github/workflows/release.yml             |  3 +--
 .github/workflows/security-suite.yml      | 11 ++++++-----
 .github/workflows/stale.yml               |  5 +----
 .github/workflows/sync-labels.yml         |  3 ++-
 .github/workflows/version-maintenance.yml |  9 +++++----
 12 files changed, 32 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/action-security.yml b/.github/workflows/action-security.yml
index af99a25..94c5902 100644
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -17,10 +17,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  actions: read
-  pull-requests: read
+permissions: {}
 
 jobs:
   analyze:
@@ -29,6 +26,9 @@ jobs:
     timeout-minutes: 30
 
     permissions:
+      contents: read
+      actions: read
+      pull-requests: read
       security-events: write
       statuses: write
       issues: write
diff --git a/.github/workflows/build-testing-image.yml b/.github/workflows/build-testing-image.yml
index b70255d..17c3577 100644
--- a/.github/workflows/build-testing-image.yml
+++ b/.github/workflows/build-testing-image.yml
@@ -23,15 +23,16 @@ on:
         default: 'latest'
         type: string
 
-permissions:
-  contents: read
-  packages: write
+permissions: {}
 
 jobs:
   build-and-push:
     name: Build and Push Testing Image
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/codeql-new.yml b/.github/workflows/codeql-new.yml
index 55a00c3..4d1e37d 100644
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
     - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
   merge_group:
 
-permissions:
-  actions: read
-  contents: read
+permissions: {}
 
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
+      actions: read
       contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index d716a6d..54a1c3f 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,12 +4,13 @@ name: 'Dependency Review'
 on:
   - pull_request
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
diff --git a/.github/workflows/issue-stats.yml b/.github/workflows/issue-stats.yml
index 2b9e91c..5778ab4 100644
--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -5,8 +5,7 @@ on:
   schedule:
     - cron: '3 2 1 * *'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml
index 071070a..7bbb45c 100644
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -6,7 +6,7 @@ on:
   schedule:
     - cron: '0 21 * * *' # 00:00 at Europe/Helsinki
 
-permissions: read-all
+permissions: {}
 
 jobs:
   new-daily-release:
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index ded404b..107477b 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -37,9 +37,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  packages: read # Required for private dependencies
+permissions: {}
 
 jobs:
   megalinter:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c800f45..303a62c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   release:
diff --git a/.github/workflows/security-suite.yml b/.github/workflows/security-suite.yml
index 4bacd4b..ffa73fd 100644
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
       - '**/*.yaml'
       - '.github/workflows/**'
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
   security-analysis:
     name: Security Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read
 
     steps:
       - name: Checkout PR
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 26a24c2..86061c3 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}
 
 jobs:
   stale:
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 4792b09..070aa0e 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   labels:
@@ -31,6 +31,7 @@ jobs:
     timeout-minutes: 10
 
     permissions:
+      contents: read
       issues: write
 
     steps:
diff --git a/.github/workflows/version-maintenance.yml b/.github/workflows/version-maintenance.yml
index b810f44..7c3ad02 100644
--- a/.github/workflows/version-maintenance.yml
+++ b/.github/workflows/version-maintenance.yml
@@ -12,15 +12,16 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
+permissions: {}
 
 jobs:
   check-and-update:
     name: Check Version References
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
 
     steps:
       - name: Checkout Repository