chore(ci): restrict token permissions (#7470)

Replace read-all with contents:read and add explicit permissions to follow principle of least privilege. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-10-27 08:14:18 -04:00 · 2025-08-25 23:08:21 +03:00
parent 5720d3ca7d
commit 9f7cc58d67
4 changed files with 15 additions and 1 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,8 +1,13 @@
 name: CIFuzz
+
 on:
  pull_request:
    branches:
      - master
+
+permissions:
+  contents: read
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,6 +1,11 @@
 name: golangci-lint
+
 on:
  pull_request:
+
+permissions:
+  contents: read
+
 jobs:
  golangci:
    name: lint
--- a/.github/workflows/make.doc.yml
+++ b/.github/workflows/make.doc.yml
@@ -4,7 +4,8 @@ on:
  schedule:
    - cron: '22 10 * * 0'

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  fix:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
        description: "Commit (e.g., 52f0348)"
        default: "master"

+permissions:
+  contents: read
+
 jobs:
  release:
    name: Release