From b024f428e5c6054a66db1f20dfd35dc6c1d719c9 Mon Sep 17 00:00:00 2001 From: Alb3e3 <74142887+Alb3e3@users.noreply.github.com> Date: Sat, 27 Jun 2026 13:56:43 +0200 Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions Add a workflow-level `permissions: { contents: read }` block. The affected workflow(s) only build, test, and/or fuzz the project; no job writes to the repository or other GitHub resources, so read-only is the correct least-privilege scope for the default GITHUB_TOKEN. --- .github/workflows/CI.yml | 3 +++ .github/workflows/ci-fuzz.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index b06ab11d..d91aebb9 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -12,6 +12,9 @@ on: - '**.md' - 'LICENSE' +permissions: + contents: read + jobs: linux: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-fuzz.yml b/.github/workflows/ci-fuzz.yml index 9e8be0bc..e0760476 100644 --- a/.github/workflows/ci-fuzz.yml +++ b/.github/workflows/ci-fuzz.yml @@ -1,5 +1,8 @@ name: CIFuzz on: [pull_request] +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest