chore: enforce least-privilege permissions in GitHub Actions workflows

Set top-level `permissions: {}` on all workflows and move required permissions to job level. Switch publish.yml from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs/issues.
2026-03-04 16:55:08 +00:00 · 2026-02-27 23:03:55 +02:00
parent 757058ee7f
commit 1c861d1adc
6 changed files with 13 additions and 13 deletions
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels: