fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482)

2026-03-07 17:56:27 +00:00 · 2026-03-06 02:44:56 +02:00
parent 455267f892
commit ae4ad9ec80
12 changed files with 32 additions and 35 deletions
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,12 +4,13 @@ name: 'Dependency Review'
 on:
  - pull_request

-permissions:
-  contents: read
+permissions: {}

 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta