Add explicit permissions to workflow for security (CodeQL fix)

Copilot · nielsdrost7 · Copilot · commit 2058e5a7b5e5 · 2025-11-21T02:14:36.000Z
Co-authored-by: nielsdrost7 &lt;47660417+nielsdrost7@users.noreply.github.com&gt;
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -19,6 +19,12 @@ This directory contains GitHub Actions workflows for automated CI/CD tasks.
 6. **Creates release archive** - Packages everything into a timestamped ZIP file
 7. **Uploads artifact** - Makes the release available for download (90-day retention)
 
+**Security:**
+
+The workflow uses minimal permissions:
+- `contents: read` - Read access to repository contents
+- `actions: write` - Write access to upload workflow artifacts
+
 **Required Secrets:**
 
 Before using this workflow, you need to configure these GitHub secrets:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ jobs:
     name: Build and Package Production Release
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      actions: write  # Required for uploading artifacts
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
