chore(ci): harden workflow permissions and gate releases to owner (#211)

stormslowly · web-flow · commit 64a744044cbd · 2026-05-13T14:34:59.000+08:00
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Benchmark
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: Code Coverage
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
@@ -34,11 +34,7 @@ on:
         required: false
         default: true
 
-permissions:
-  # To publish packages with provenance
-  id-token: write
-  # Allow commenting on issues for `reusable-build.yml`
-  issues: write
+permissions: {}
 
 jobs:
   build:
@@ -65,6 +61,8 @@ jobs:
           - target: aarch64-apple-darwin
             runner: "macos-latest"
 
+    permissions:
+      contents: read
     uses: ./.github/workflows/reusable-build.yml
     with:
       target: ${{ matrix.array.target }}
@@ -77,8 +75,9 @@ jobs:
     name: Release
     environment: npm
     permissions:
+      # push release tag via scripts/x.mjs publish --push-tags
       contents: write
-      # To publish packages with provenance
+      # OIDC provenance for npm publish
       id-token: write
     runs-on: ubuntu-latest
     needs: build
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -13,17 +13,18 @@ on:
         required: false
         default: false
 
-permissions:
-  # trust publish needs
-  id-token: write
-  # push tag
-  contents: write
+permissions: {}
 
 jobs:
   release-plz:
     name: Release-plz
     runs-on: ubuntu-latest
     environment: crate
+    permissions:
+      # OIDC trusted publishing to crates.io
+      id-token: write
+      # push release tag
+      contents: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -35,8 +35,7 @@ env:
   CARGO_INCREMENTAL: 0
 
 permissions:
-  # Allow commenting on issues
-  issues: write
+  contents: read
 
 jobs:
   build:
