fix(ci): harden workflow permissions and use GITHUB_TOKEN for releases (#109)

Replace overly broad top-level permissions (read-all) with empty defaults and declare minimal job-level permissions. Switch publish workflow from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs and issues.
2026-02-28 22:53:58 +00:00 · 2026-02-28 10:08:15 +02:00
parent 49e85b8097
commit 9992182f9e
5 changed files with 8 additions and 14 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,15 +11,15 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
+      actions: read
+      contents: read
      security-events: write

    strategy:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -12,7 +12,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  Linter:
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
    branches:
      - main

-permissions: read-all
+permissions: {}

 env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -20,8 +20,6 @@ jobs:
      statuses: write
      contents: read
      packages: read
-      issues: write
-      pull-requests: write

    steps:
      - name: Run PR Lint
@@ -72,5 +70,5 @@ jobs:
      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
        env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
@@ -19,7 +16,6 @@ jobs:
    runs-on: ubuntu-latest

    permissions:
-      contents: write # only for delete-branch option
      issues: write
      pull-requests: write
    steps:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels: