fix(ci): move write permissions to job level for Scorecard compliance

JasonXuDeveloper · JasonXuDeveloper · commit 09218e009bf8 · 2026-01-26T19:30:29.000+11:00
- pr-tests.yml: Set workflow-level to read-all, add explicit permissions to each job
- unity-tests.yml: Set workflow-level to read-all, keep job-level write permissions

This addresses OpenSSF Scorecard Token-Permissions alerts.

Signed-off-by: JasonXuDeveloper &lt;jasonxudeveloper@gmail.com&gt;
Signed-off-by: JasonXuDeveloper - 傑 &lt;jason@xgamedev.net&gt;
diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml
@@ -12,15 +12,14 @@ concurrency:
   group: pr-tests-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  pull-requests: write
-  statuses: write
+permissions: read-all
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       should_test: ${{ steps.filter.outputs.src }}
     steps:
@@ -75,6 +74,8 @@ jobs:
     needs: [changes, run-tests]
     runs-on: ubuntu-latest
     if: needs.changes.outputs.should_test == 'true' && needs.run-tests.result == 'success'
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/unity-tests.yml b/.github/workflows/unity-tests.yml
@@ -23,9 +23,7 @@ on:
         description: 'Test results summary'
         value: ${{ jobs.test.outputs.results }}
 
-permissions:
-  contents: read
-  checks: write
+permissions: read-all
 
 jobs:
   test:
