fix(ci): harden workflow permissions and use GITHUB_TOKEN for releases (#109)

Replace overly broad top-level permissions (read-all) with empty
defaults and declare minimal job-level permissions. Switch publish
workflow from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release
can comment on PRs and issues.
This commit is contained in:
2026-02-28 10:08:15 +02:00
committed by GitHub
parent 49e85b8097
commit 9992182f9e
5 changed files with 8 additions and 14 deletions

View File

@@ -11,15 +11,15 @@ on:
- cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
merge_group:
permissions:
actions: read
contents: read
permissions: {}
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:

View File

@@ -12,7 +12,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
permissions: {}
jobs:
Linter:

View File

@@ -6,7 +6,7 @@ on:
branches:
- main
permissions: read-all
permissions: {}
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -20,8 +20,6 @@ jobs:
statuses: write
contents: read
packages: read
issues: write
pull-requests: write
steps:
- name: Run PR Lint
@@ -72,5 +70,5 @@ jobs:
- name: Semantic Release
uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

View File

@@ -8,10 +8,7 @@ on:
workflow_call:
workflow_dispatch:
permissions:
contents: read
packages: read
statuses: read
permissions: {}
jobs:
stale:
@@ -19,7 +16,6 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write # only for delete-branch option
issues: write
pull-requests: write
steps:

View File

@@ -20,7 +20,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
permissions: {}
jobs:
labels: