fix(ci): use GITHUB_TOKEN for semantic-release and harden workflow permissions

Replace secrets.PAT with secrets.GITHUB_TOKEN in publish.yml so semantic-release can comment on PRs/issues using the built-in token scoped by job-level permissions. Set top-level permissions to empty object across all workflows to follow the principle of least privilege, relying on job-level permissions blocks instead.
2026-03-01 00:53:49 +00:00 · 2026-02-27 22:50:05 +02:00
parent bed0d1ea5e
commit 9e10b3e2b2
5 changed files with 7 additions and 8 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,6 +21,8 @@ on:
  schedule:
    - cron: "22 8 * * 0"

+permissions: {}
+
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -10,7 +10,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
    branches:
      - main

-permissions: read-all
+permissions: {}

 env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -72,5 +72,5 @@ jobs:
      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
        env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels: