From 76b48f1ef757e438f568503a39484c5e2c0731b0 Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Wed, 19 Nov 2025 00:25:01 +0200
Subject: [PATCH] security: add explicit permissions to all workflow jobs

- Add least-privilege permissions to all GitHub Actions jobs
- Fixes 8 CodeQL security findings (actions/missing-workflow-permissions)
- Build jobs: contents:read, actions:write
- Release job: contents:write, actions:read
- Test job: contents:read, checks:write, actions:write
- Status jobs: no permissions needed

Follows principle of least privilege and GitHub Actions security best practices.
---
 .github/workflows/build.yml   |  7 +++++++
 .github/workflows/publish.yml | 10 ++++++++++
 .github/workflows/test.yml    |  4 ++++
 3 files changed, 21 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6d22ed3..44615eb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,6 +11,9 @@ jobs:
   build-ios:
     name: Build iOS
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -39,6 +42,9 @@ jobs:
   build-maccatalyst:
     name: Build macOS Catalyst
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -69,6 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-ios, build-maccatalyst]
     if: always()
+    permissions: {}
 
     steps:
     - name: Check build status
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d76078c..43e16f2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -18,6 +18,9 @@ jobs:
   build-ios:
     name: Build iOS
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -72,6 +75,9 @@ jobs:
   build-maccatalyst:
     name: Build macOS
     runs-on: macos-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
     - name: Checkout code
@@ -128,6 +134,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-ios, build-maccatalyst]
     if: always() && needs.build-ios.result == 'success' && needs.build-maccatalyst.result == 'success'
+    permissions:
+      contents: write
+      actions: read
 
     steps:
     - name: Checkout code
@@ -203,6 +212,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-ios, build-maccatalyst, create-release]
     if: always()
+    permissions: {}
 
     steps:
     - name: Check publish status
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1b30475..f834829 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,10 @@ jobs:
   test:
     name: Run Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+      actions: write
 
     steps:
     - name: Checkout code