fix: add explicit empty permissions to deploy-railway.yml (#1132)

msukkari · cursoragent · web-flow · commit f2d1985f884c · 2026-04-17T19:31:42.000-07:00
* fix: add explicit empty permissions to deploy-railway.yml Add permissions: {} at the workflow level to explicitly deny all GitHub token permissions, following the principle of least privilege. This workflow only needs RAILWAY_TOKEN and has no use for GitHub token access. Fixes the CodeQL actions/missing-workflow-permissions alert #27. Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com> * docs: add CHANGELOG entry for deploy-railway permissions fix Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
diff --git a/.github/workflows/deploy-railway.yml b/.github/workflows/deploy-railway.yml
@@ -1,5 +1,7 @@
 name: Deploy to Railway
 
+permissions: {}
+
 on:
   workflow_run:
     workflows: ["Release Sourcebot (Development)"]
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 - Fixed revision selection so the 64-revision cap prefers the newest matching branches and tags instead of pruning by ref-name order. [#1122](https://github.com/sourcebot-dev/sourcebot/pull/1122)
 - Fixed infinite pagination loop in Gitea/Forgejo when an API token can only see a subset of org repos (the `x-total-count` header reports org total while token returns fewer items). [#1130](https://github.com/sourcebot-dev/sourcebot/pull/1130)
+- Fixed CodeQL missing-workflow-permissions alert by adding explicit empty permissions to `deploy-railway.yml`. [#1132](https://github.com/sourcebot-dev/sourcebot/pull/1132)
 
 ## [4.16.11] - 2026-04-17
 
