Skip to content

ci: add least-privilege permissions to release workflow#3

Merged
adityathebe merged 1 commit into
masterfrom
claude/slidingwindow-security-scan-fc1qoj
Jul 17, 2026
Merged

ci: add least-privilege permissions to release workflow#3
adityathebe merged 1 commit into
masterfrom
claude/slidingwindow-security-scan-fc1qoj

Conversation

@adityathebe

Copy link
Copy Markdown
Member

Summary

Fixes the CodeQL code-scanning alert "Workflow does not contain permissions" (Medium) detected in .github/workflows/release.yml.

The Create Release workflow did not declare an explicit permissions block, so GITHUB_TOKEN defaulted to the repository/organization default scopes — often broader than needed. This change applies the principle of least privilege.

Changes

  • Added a top-level permissions: contents: read block so the token defaults to read-only for the whole workflow.
  • Granted the semantic-release job only the write scopes it actually requires via @semantic-release/github:
    • contents: write — create releases and git tags
    • issues: write — comment on released issues
    • pull-requests: write — comment on released pull requests

This mirrors the existing pattern already used in .github/workflows/lint.yml.

Verification

  • YAML validated with yaml.safe_load.
  • Scopes align with what the semantic-release GitHub plugin needs (releases, tags, and release comments).

🤖 Generated with Claude Code

https://claude.ai/code/session_01JwM51gNnSMcNN1YeJE8aYr


Generated by Claude Code

Resolves the CodeQL "Workflow does not contain permissions" alert by
adding an explicit top-level read-only GITHUB_TOKEN scope and granting
the semantic-release job only the write scopes it needs (contents,
issues, pull-requests). Mirrors the pattern already used in lint.yml.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JwM51gNnSMcNN1YeJE8aYr
@adityathebe
adityathebe merged commit 87cef35 into master Jul 17, 2026
4 checks passed
@adityathebe
adityathebe deleted the claude/slidingwindow-security-scan-fc1qoj branch July 17, 2026 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants