chore(ci): harden workflow by setting default permission to read only (#728)

zerosnacks · web-flow · commit bee297442f04 · 2025-09-15T14:57:08.000+02:00
In `sync.yml` `contents: write` permissions are required to push perform
the sync as well as persist credentials (explicitly marked at true).

`persist-credentials: true` is required in order to push to the `v1`
branch by the workflow
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   pull_request:
@@ -27,7 +30,9 @@ jobs:
           - --use solc:0.6.2
           - --use solc:0.6.12
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: foundry-rs/foundry-toolchain@v1
       - run: forge --version
       - run: |
@@ -51,7 +56,9 @@ jobs:
       matrix:
         toolchain: [stable, nightly]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: foundry-rs/foundry-toolchain@v1
         with:
           version: ${{ matrix.toolchain }}
@@ -67,7 +74,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: foundry-rs/foundry-toolchain@v1
       - run: forge --version
       - run: forge fmt --check
@@ -76,12 +85,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: crate-ci/typos@v1
 
   ci-success:
     runs-on: ubuntu-latest
     if: always()
+    permissions: {}
     needs:
       - build
       - test
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
@@ -1,5 +1,8 @@
 name: Sync Release Branch
 
+permissions:
+  contents: read
+
 on:
   release:
     types:
@@ -8,11 +11,14 @@ on:
 jobs:
   sync-release-branch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     if: startsWith(github.event.release.tag_name, 'v1')
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
+          persist-credentials: true
           fetch-depth: 0
           ref: v1
 
