fix(ci): use GITHUB_TOKEN for semantic-release and harden workflow permissions

Replace secrets.PAT with secrets.GITHUB_TOKEN in publish.yml so semantic-release can comment on PRs/issues using the built-in token scoped by job-level permissions. Set top-level permissions to empty object across all workflows to follow the principle of least privilege, relying on job-level permissions blocks instead.
2026-03-01 13:54:01 +00:00 · 2026-02-27 22:50:05 +02:00
parent bed0d1ea5e
commit 9e10b3e2b2
5 changed files with 7 additions and 8 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale: