Set workflow token permissions

[glenn-jocher]

Summary

• add explicit contents: read permissions to CI and Replicate push workflows

CodeQL alerts

Addresses:

• https://github.com/ultralytics/replicate/security/code-scanning/1
• https://github.com/ultralytics/replicate/security/code-scanning/2

Validation

• Parsed workflow YAML with yaml.safe_load()
• git diff --check

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

🔐 This PR updates GitHub Actions workflows to use explicit read-only repository permissions, improving CI/CD security without changing functionality.

📊 Key Changes

• Added a top-level permissions block with contents: read to .github/workflows/ci.yml
• Added the same permissions setting to .github/workflows/push.yml
• Applies to both:
  • the main CI workflow
  • the workflow that pushes YOLO to Replicate

🎯 Purpose & Impact

• Improves security by limiting GitHub Actions workflows to the minimum access they need 🛡️
• Reduces risk from overly broad default token permissions in automated workflows
• Aligns the repository with GitHub Actions security best practices ✅
• Should have no impact on normal development or deployment behavior, since these workflows only need read access to repository contents 🚀

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/replicate 🚀 PR! This is an automated message to help streamline review, and an engineer will assist you shortly. Please review the checklist below to support a smooth integration of your changes 🔐

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/replicate main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

This PR looks clean. Adding top-level permissions: contents: read to both workflows is a sensible least-privilege hardening change, and nothing in the provided diff suggests a functional regression.

[UltralyticsAssistant]

Merged! 🎉 Thanks for the thoughtful security improvement here, @glenn-jocher.

Adding explicit read-only permissions to the GitHub Actions workflows is a small change with meaningful impact, strengthening CI/CD security while keeping behavior unchanged. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” This update reflects that perfectly by reducing unnecessary access and aligning the repo with GitHub Actions best practices.

Really appreciate the care and attention to detail on this one 🙌