Skip to content

Commit 389b9cc

Browse files
ci: add explicit permissions block for least-privilege
Mirrors LunarCommand/openarmature-examples#3: pin GITHUB_TOKEN to `contents: read`. The workflow only needs to checkout code + the spec submodule; no writes.
1 parent b649855 commit 389b9cc

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,11 @@ on:
66
push:
77
branches: [main]
88

9+
# Least-privilege: the workflow only needs to read code (checkout +
10+
# submodule). No writes anywhere.
11+
permissions:
12+
contents: read
13+
914
# Cancel in-flight runs on the same ref when a new push lands.
1015
concurrency:
1116
group: ${{ github.workflow }}-${{ github.ref }}

0 commit comments

Comments
 (0)