chore: enforce least-privilege permissions in GitHub Actions workflows

Set top-level `permissions: {}` on all workflows and move required permissions to job level. Switch publish.yml from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs/issues.
2026-03-08 05:56:57 +00:00 · 2026-02-27 23:03:55 +02:00
parent 757058ee7f
commit 1c861d1adc
6 changed files with 13 additions and 13 deletions
--- a/.github/workflows/update-browserslist.yaml
+++ b/.github/workflows/update-browserslist.yaml
@@ -7,13 +7,14 @@ on:
    - cron: '0 2 1,15 * *'
  workflow_dispatch:

-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}

 jobs:
  update-browserslist-database:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2