chore: enforce least-privilege permissions in GitHub Actions workflows

Set top-level `permissions: {}` on all workflows and move required permissions to job level. Switch publish.yml from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs/issues.
2026-03-04 01:54:48 +00:00 · 2026-02-27 23:03:55 +02:00
parent 757058ee7f
commit 1c861d1adc
6 changed files with 13 additions and 13 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,15 +11,15 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
+      actions: read
+      contents: read
      security-events: write

    strategy: