From 9992182f9eaa725a3947493aaeca6025b0e2ca77 Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Sat, 28 Feb 2026 10:08:15 +0200
Subject: [PATCH] fix(ci): harden workflow permissions and use GITHUB_TOKEN for
 releases (#109)

Replace overly broad top-level permissions (read-all) with empty
defaults and declare minimal job-level permissions. Switch publish
workflow from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release
can comment on PRs and issues.
---
 .github/workflows/codeql.yml      | 6 +++---
 .github/workflows/pr-lint.yml     | 2 +-
 .github/workflows/publish.yml     | 6 ++----
 .github/workflows/stale.yml       | 6 +-----
 .github/workflows/sync-labels.yml | 2 +-
 5 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index aa6cc6a..e690647 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,15 +11,15 @@ on:
     - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
   merge_group:
 
-permissions:
-  actions: read
-  contents: read
+permissions: {}
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
+      actions: read
+      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 9110883..66ca6d5 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -12,7 +12,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   Linter:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2d9e6b6..9205866 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
 
-permissions: read-all
+permissions: {}
 
 env:
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -20,8 +20,6 @@ jobs:
       statuses: write
       contents: read
       packages: read
-      issues: write
-      pull-requests: write
 
     steps:
       - name: Run PR Lint
@@ -72,5 +70,5 @@ jobs:
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 6fe49cc..a9cf48c 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}
 
 jobs:
   stale:
@@ -19,7 +16,6 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write # only for delete-branch option
       issues: write
       pull-requests: write
     steps:
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 5808ee1..601b456 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -20,7 +20,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   labels: