Skip to content

ci: add top-level permissions: read-all to workflows#57

Merged
paradoxbound merged 1 commit into
mainfrom
fix/workflow-token-permissions
Mar 7, 2026
Merged

ci: add top-level permissions: read-all to workflows#57
paradoxbound merged 1 commit into
mainfrom
fix/workflow-token-permissions

Conversation

@paradoxbound

Copy link
Copy Markdown
Owner

Resolves TokenPermissionsID Scorecard alerts #57 and #58.

Adds permissions: read-all at the top level of both functional-tests.yml and docker-publish.yml. This sets a secure read-only default for the GITHUB_TOKEN. Each job in docker-publish.yml already has its own minimal job-level permissions — those are unchanged.

Alert #79 (contents: write on the merge job) will remain as an informational warning since git tag creation legitimately requires it.

No version bump — CI-only change.

🤖 Generated with Claude Code

Resolves TokenPermissionsID Scorecard alerts (#57, #58).
Sets a secure read-only default; each job in docker-publish.yml
already declares its own minimal write permissions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paradoxbound paradoxbound merged commit cd63d39 into main Mar 7, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant