fix: restrict GITHUB_TOKEN permissions in CI workflows

[tirthpatell]

Summary

• Adds explicit permissions: contents: read to both CI and Integration Tests workflows
• Restricts GITHUB_TOKEN from broad default permissions to minimum required scope
• Resolves CodeQL alert #8

Test plan

• CI workflow runs successfully with restricted permissions
• Integration tests workflow runs successfully with restricted permissions

[greptile-apps]

Greptile Summary

This PR adds explicit permissions: contents: read at the workflow level to both .github/workflows/ci.yml and .github/workflows/integration-tests.yml, restricting the GITHUB_TOKEN to the minimum required scope and resolving CodeQL alert #8.

• ci.yml: contents: read is sufficient — actions/checkout@v6 only needs read access, actions/cache@v5 authenticates via the runner-managed ACTIONS_RUNTIME_TOKEN (not GITHUB_TOKEN), and the coverage badge update step uses the dedicated GIST_TOKEN repository secret rather than GITHUB_TOKEN.
• integration-tests.yml: Same rationale applies — all Threads API credentials (THREADS_CLIENT_ID, THREADS_ACCESS_TOKEN, etc.) are repository secrets entirely separate from GITHUB_TOKEN, so they are unaffected by this restriction.
• No functional regressions are introduced; both workflows will continue to operate correctly with the narrowed scope.
• These are the only two workflow files in the repository, so coverage is complete.

Confidence Score: 5/5

• This PR is safe to merge — it is a minimal, targeted security hardening change with no functional impact.
• Both workflows only need contents: read from GITHUB_TOKEN: checkout uses it for read access, cache operations rely on ACTIONS_RUNTIME_TOKEN rather than GITHUB_TOKEN, and all other sensitive operations (badge updates, API calls) use dedicated repository secrets. No write operations via GITHUB_TOKEN exist in either workflow, so restricting to contents: read introduces no breakage.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds permissions: contents: read at workflow level — minimal scope sufficient for all steps (checkout, cache via ACTIONS_RUNTIME_TOKEN, and badge update via GIST_TOKEN).
.github/workflows/integration-tests.yml	Adds permissions: contents: read at workflow level — all secrets-dependent steps use repository secrets rather than GITHUB_TOKEN, so no functional impact.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([Trigger]) --> B["Workflow permissions: contents: read"]
    B --> C["Checkout code"]
    C --> D["Cache Go modules via ACTIONS_RUNTIME_TOKEN"]
    D --> E{Which Workflow?}
    E -->|ci.yml| F["Build and Test: go vet, gofmt, go test"]
    E -->|integration-tests.yml| G["Run tests using repository secrets"]
    F --> H{main branch plus go 1.24?}
    H -->|Yes| I["Update badge using GIST_TOKEN"]
    H -->|No| J([Done])
    I --> J
    G --> J

Loading

_{Last reviewed commit: feaf5cc}