chore: enforce least-privilege permissions in GitHub Actions workflows

Set top-level `permissions: {}` on all workflows and move required permissions to job level. Switch publish.yml from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs/issues.
2026-03-02 17:54:20 +00:00 · 2026-02-27 23:03:55 +02:00
parent 757058ee7f
commit 1c861d1adc
6 changed files with 13 additions and 13 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,15 +11,15 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
+      actions: read
+      contents: read
      security-events: write

    strategy:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -6,6 +6,8 @@ on:
  pull_request:
    branches: [master, main]

+permissions: {}
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
    branches:
      - main

-permissions: read-all
+permissions: {}

 env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -72,5 +72,5 @@ jobs:
      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
        env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels:
--- a/.github/workflows/update-browserslist.yaml
+++ b/.github/workflows/update-browserslist.yaml
@@ -7,13 +7,14 @@ on:
    - cron: '0 2 1,15 * *'
  workflow_dispatch:

-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}

 jobs:
  update-browserslist-database:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2