Add explicit permissions to GitHub Actions workflows

mraible · mraible · commit 965f0bf41833 · 2025-09-17T21:28:02.000-07:00
Resolves CodeQL security alerts by restricting GITHUB_TOKEN to contents:read only
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,6 +1,9 @@
 name: Sample CI
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   test-functions:
     strategy:
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - '**.py'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
