From bda1a5fc22be885779d6a4fe7d712869856d879a Mon Sep 17 00:00:00 2001 From: sacha Date: Fri, 24 Apr 2026 15:45:41 +0200 Subject: [PATCH] ci: add minimal permissions block to workflows Follow principle of least privilege: ci.yml now declares contents:read explicitly; release.yml permissions verified/aligned. Refs POM-176, CodeQL alert #1 (actions/missing-workflow-permissions). --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f009125..d3ce875 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,9 @@ concurrency: group: ci-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build-test: runs-on: ubuntu-latest