From 1c861d1adc46b7b7c4437d678da6437a23fb51a7 Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Fri, 27 Feb 2026 23:03:55 +0200 Subject: [PATCH] chore: enforce least-privilege permissions in GitHub Actions workflows Set top-level `permissions: {}` on all workflows and move required permissions to job level. Switch publish.yml from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs/issues. --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/pr-lint.yml | 2 ++ .github/workflows/publish.yml | 4 ++-- .github/workflows/stale.yml | 5 +---- .github/workflows/sync-labels.yml | 2 +- .github/workflows/update-browserslist.yaml | 7 ++++--- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index aa6cc6a..e690647 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,15 +11,15 @@ on: - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday merge_group: -permissions: - actions: read - contents: read +permissions: {} jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: + actions: read + contents: read security-events: write strategy: diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 44b601d..213220d 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -6,6 +6,8 @@ on: pull_request: branches: [master, main] +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2d9e6b6..d953d12 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,7 +6,7 @@ on: branches: - main -permissions: read-all +permissions: {} env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -72,5 +72,5 @@ jobs: - name: Semantic Release uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0 env: - GITHUB_TOKEN: ${{ secrets.PAT }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 6fe49cc..0800365 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -8,10 +8,7 @@ on: workflow_call: workflow_dispatch: -permissions: - contents: read - packages: read - statuses: read +permissions: {} jobs: stale: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 5808ee1..601b456 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,7 +20,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: {} jobs: labels: diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml index ef92c07..113d0f1 100644 --- a/.github/workflows/update-browserslist.yaml +++ b/.github/workflows/update-browserslist.yaml @@ -7,13 +7,14 @@ on: - cron: '0 2 1,15 * *' workflow_dispatch: -permissions: - contents: write - pull-requests: write +permissions: {} jobs: update-browserslist-database: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2