fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482)

2026-03-07 12:56:21 +00:00 · 2026-03-06 02:44:56 +02:00
parent 455267f892
commit ae4ad9ec80
12 changed files with 32 additions and 35 deletions
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
      - '**/*.yaml'
      - '.github/workflows/**'

-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read

    steps:
      - name: Checkout PR