Add explicit permissions to CI workflow

arpitjain099 · arpitjain099 · commit 28efb169d5fb · 2026-05-13T15:05:52.000+09:00
Declare workflow-level contents: read as the default least-privilege scope,
and override per-job to contents: write for the build job because
maven-dependency-submission-action posts to the Dependency submission API
and that endpoint requires contents: write.

This documents the actual scope needed by each part of the workflow rather
than inheriting the repository default token permissions, which is the
recommended hardening pattern.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,13 +6,20 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+    # `Update dependency graph` step uses maven-dependency-submission-action,
+    # which posts to the Dependency submission API and requires `contents: write`.
+    permissions:
+      contents: write
 
     steps:
     - uses: actions/checkout@v4
