[Sec] least privilege for actions (#241)

haochengxia · web-flow · commit c9fcc20ac061 · 2025-06-27T09:00:37.000-04:00
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -2,6 +2,9 @@ name: Code Quality
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   code-quality:
     name: Code Quality Checks
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -9,6 +9,10 @@ on:
     paths:
       - 'libCacheSim-node/**'
 
+permissions:
+  contents: write  # Needed for creating releases and accessing repository contents
+  actions: read    # Needed for workflow actions
+
 env:
   BUILD_TYPE: Release
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -15,7 +15,9 @@ on:
     branches: [ "develop" ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
+  actions: read
 
 jobs:
   analysis:
