Merge pull request #469 from rajbos/workflow-permissions

Prevent securituy alerts

Author: rajbos

.github/workflows/check-models.yml

@@ -20,9 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor != 'dependabot[bot]' && !startsWith(github.ref_name, 'dependabot/')
     permissions:
-      contents: write  # Need write permission to create branches and push changes
-      pull-requests: write  # Need write permission to create PRs
-      id-token: write  # Keep for potential future use
+      contents: write  # needed to create branches and push changes
+      pull-requests: write  # needed to create PRs
 
     steps:
       - name: Harden the runner (Audit all outbound calls)

.github/workflows/cli-publish.yml

@@ -27,14 +27,16 @@ on:
       - 'cli/package-lock.json'
 
 permissions:
-  contents: write
-  pull-requests: write
-  id-token: write  # Required for OIDC to npm registry
+  contents: read
 
 jobs:
   publish:
     name: Publish CLI to npm
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # needed to push version bump branch and create PR
+      pull-requests: write # needed to open the version bump PR
+      id-token: write      # required for OIDC authentication to npm registry
     defaults:
       run:
         working-directory: cli