fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482)

2026-03-07 07:56:17 +00:00 · 2026-03-06 02:44:56 +02:00
parent 455267f892
commit ae4ad9ec80
12 changed files with 32 additions and 35 deletions
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels:
@@ -31,6 +31,7 @@ jobs:
    timeout-minutes: 10

    permissions:
+      contents: read
      issues: write

    steps: