From 1ee364ae7820969b45a5cb7fd0ee2e6a7ea7b8c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20Harjam=C3=A4ki?= Date: Fri, 3 Jul 2026 20:04:10 +0300 Subject: [PATCH] chore: add codeowners and harden workflow permissions Enterprise governance hardening: - Add explicit /.github/ ownership to CODEOWNERS where missing. - Add top-level least-privilege permissions (default contents: read) to workflows lacking one, granting only the scopes each needs. - Add timeout-minutes to jobs missing one. YAML hardening only; no build logic, scripts, or step contents changed. Co-Authored-By: Claude Opus 4.8 --- .github/CODEOWNERS | 1 + .github/workflows/codeql.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2ad92cf..9aebb81 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ * @Coding-Autopilot-System/core +/.github/ @Coding-Autopilot-System/core diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 691c373..093caca 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,6 +4,9 @@ on: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] +permissions: + contents: read + jobs: analyze: name: Analyze