Skip to content

Commit e7c193c

Browse files
emptyhammondm-hulbert
authored andcommitted
ci: drop default workflow-level permissions
Add a top-level permissions: {} so the GITHUB_TOKEN is granted no scopes by default; the job continues to declare only the contents/deployments/ pull-requests scopes it actually needs. Identified by a routine workflow security audit.
1 parent 7e23e7b commit e7c193c

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

.github/workflows/review-app.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ on:
44
pull_request:
55
types: [labeled, unlabeled, closed]
66

7+
permissions: {}
8+
79
jobs:
810
manage-review-app:
911
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)