ci: enforce least-privilege permissions and update workflows (#188)

* ci: add permissions: {} to CI workflow with job-level contents: read * ci: enforce least-privilege permissions in security workflow * ci: enforce least-privilege permissions in commitlint workflow * ci: enforce least-privilege permissions in pr-lint workflow and update actions * ci: enforce least-privilege permissions in stale workflow and update actions * ci: enforce least-privilege permissions in sync-labels workflow and update actions * ci: enforce least-privilege permissions in release workflow and update actions * chore(actions): update ivuorinen/actions/codeql-analysis (v2026.03.06 → v2026.03.09) * chore(deps): update testdata composite action dependencies
2026-03-12 12:00:07 +00:00 · 2026-03-10 19:08:53 +02:00
parent 042b7a27a4
commit d266beab79
9 changed files with 25 additions and 23 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
@@ -23,4 +20,4 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: ivuorinen/actions/stale@6e8f2aae9d0846d901d9eba15b8e94a2900573dc # v2026.03.02
+      - uses: ivuorinen/actions/stale@4360ea39c744dbd52bf1d624bf058ba4dd81245a # v2026.03.09