From f2e2c00fce8457388108d3303d324abb0568ab8c Mon Sep 17 00:00:00 2001 From: Richard Wooding Date: Tue, 28 Apr 2026 11:59:28 +0200 Subject: [PATCH] ci: restrict GITHUB_TOKEN to contents:read in CI workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL flagged three instances of `actions/missing-workflow-permissions` (alerts #1, #2, #3) on .github/workflows/ci.yml — one per job (lint, unit-tests, integration-tests). Without an explicit permissions block, the default GITHUB_TOKEN gets the repo-wide write permission set. All three jobs only need to read code (checkout, install deps, run ruff/mypy/pytest, upload artifacts to the run's own artifact storage). A workflow-level `permissions: contents: read` covers all three jobs and resolves all three alerts in one block. The release workflow continues to specify its own write permissions (contents: write for the GitHub Release, id-token: write for PyPI OIDC). When release.yml calls ci.yml via workflow_call, ci.yml's permissions block scopes what ci.yml's jobs can do — the caller's permissions don't propagate down — so this change does not affect release publishing. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bcb5e50..0aec353 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,9 @@ on: branches: [main] workflow_call: # allow release workflow to reuse this +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true