Restrict workflow permissions to contents: read

All CI jobs and the deploy workflow only need to read repo contents. Adding explicit top-level permissions satisfies zizmor's excessive-permissions audit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 19:34:07 +01:00
parent 2675491216
commit 22d72e8a34
2 changed files with 6 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,6 +18,9 @@ on:
      - ".gitignore"
      - ".github/workflows/deploy.yml"

+permissions:
+  contents: read
+
 jobs:
  backend-lint:
    runs-on: ubuntu-latest
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,9 @@ name: Deploy
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  deploy:
    runs-on: ubuntu-latest