cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon dependabot

Set explicit token permissions on all workflows

Open Copilot opened this issue 3 months ago • 0 comments

GitHub Actions workflows without explicit permissions default to elevated access. This PR explicitly sets minimal required permissions on all workflows following the principle of least privilege.

Changes

  • ci.yml - Added permissions: contents: read (checkout only)
  • smoke.yml - Added permissions: contents: read (checkout only)
  • release.yml - Moved job-level permissions to workflow level for consistency
# Before (ci.yml and smoke.yml)
on:
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest

# After
on:
  pull_request:

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest

scorecard.yml already had proper workflow-level permissions (no changes).

Original prompt

Explicitly set token permissions on all of the workflows in this project. Choose the least amount of permissions allowed.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Oct 31 '25 14:10 Copilot