fix(ci): add explicit permissions to GitHub Actions workflows (#4)

bug-ops · web-flow · commit 1db99b7bc9a3 · 2025-11-14T13:39:06.000+01:00
Add permissions blocks to all jobs in CI and release workflows
to follow security best practices. This limits GITHUB_TOKEN
permissions to minimum required for each job:

- contents: read - for jobs that only need to read repository
- actions: write - for jobs that upload artifacts (coverage, build)
- contents: write - for release job that creates GitHub releases

This prevents potential privilege escalation and follows the
principle of least privilege for GitHub Actions.

Fixes 9 CodeQL security scanning alerts.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -63,6 +65,8 @@ jobs:
     name: Security Audit
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -92,6 +96,8 @@ jobs:
     needs: [check]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -149,6 +155,9 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
+      actions: write  # For uploading artifacts
     steps:
       - uses: actions/checkout@v5
 
@@ -199,6 +208,8 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -221,6 +232,8 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 25
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -252,6 +265,8 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     timeout-minutes: 25
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -291,6 +306,8 @@ jobs:
     needs: [check, security, test, coverage, msrv, benchmark]
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
     steps:
       - name: Check all jobs
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,9 @@ jobs:
     name: Build Release (${{ matrix.target }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
+    permissions:
+      contents: read
+      actions: write  # For uploading artifacts
     strategy:
       fail-fast: false
       matrix:
