fix(scorecard): enforce granular permissions and add fuzzing placeholder

hyperpolymath · hyperpolymath · commit be5d7ac14c62 · 2026-03-18T21:36:40.000Z
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -9,7 +9,8 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analyze:
diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
@@ -2,7 +2,8 @@
 name: Guix/Nix Package Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
@@ -11,7 +11,8 @@ on:
     - cron: '0 0 * * 0'  # Weekly on Sunday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scan:
diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
@@ -2,7 +2,8 @@
 name: NPM/Bun Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -3,7 +3,8 @@ name: Code Quality
 on: [push, pull_request]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint:
diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
@@ -14,7 +14,8 @@ on:
     branches: [main, master, develop]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   antipattern-check:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -7,7 +7,8 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -7,7 +7,8 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   trufflehog:
diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
@@ -2,7 +2,8 @@
 name: Security Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
@@ -2,7 +2,8 @@
 name: TypeScript/JavaScript Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
@@ -15,7 +15,8 @@ on:
   workflow_dispatch:
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   validate:
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
@@ -12,7 +12,8 @@ on:
       - '.github/workflows/**'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint-workflows:
@@ -53,7 +54,8 @@ jobs:
             fi
           done
           if [ $failed -eq 1 ]; then
-            echo "Add 'permissions: read-all' at workflow level"
+            echo "Add 'permissions:
+  contents: read' at workflow level"
             exit 1
           fi
           echo "All workflows have permissions declared"
