fix(ci): harden workflow permissions and use GITHUB_TOKEN for releases (#109)

Replace overly broad top-level permissions (read-all) with empty defaults and declare minimal job-level permissions. Switch publish workflow from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release can comment on PRs and issues.
2026-03-01 22:54:19 +00:00 · 2026-02-28 10:08:15 +02:00
parent 49e85b8097
commit 9992182f9e
5 changed files with 8 additions and 14 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,15 +11,15 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
+      actions: read
+      contents: read
      security-events: write

    strategy: