From 536ed98277e30967fcb467dc78b34e0938ca85a3 Mon Sep 17 00:00:00 2001 From: Paradoxbound Date: Sat, 7 Mar 2026 20:13:02 +0000 Subject: [PATCH] ci: add top-level permissions: read-all to workflows Resolves TokenPermissionsID Scorecard alerts (#57, #58). Sets a secure read-only default; each job in docker-publish.yml already declares its own minimal write permissions. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/docker-publish.yml | 2 ++ .github/workflows/functional-tests.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 8627585..f385717 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -7,6 +7,8 @@ on: branches: [main] workflow_dispatch: +permissions: read-all + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index a66450d..30825b6 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -7,6 +7,8 @@ on: branches: [main] workflow_dispatch: +permissions: read-all + jobs: test: runs-on: ubuntu-latest