From cee4b966d86b37569d69e3c1fc2a2f8a8f496419 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 2 Jun 2026 10:03:03 +0900 Subject: [PATCH] ci: set least-privilege permissions on workflow token Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default. Signed-off-by: Arpit Jain --- .github/workflows/compare.yml | 3 +++ .github/workflows/measure-all-cases.yml | 3 +++ .github/workflows/measure-date.yml | 3 +++ .github/workflows/measure-historic.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/compare.yml b/.github/workflows/compare.yml index ef54b5299b..222ff5269d 100644 --- a/.github/workflows/compare.yml +++ b/.github/workflows/compare.yml @@ -12,6 +12,9 @@ on: default: "webpack@webpack/webpack#master" required: true +permissions: + contents: read + jobs: bench: strategy: diff --git a/.github/workflows/measure-all-cases.yml b/.github/workflows/measure-all-cases.yml index e70b8e7ac1..b38a2f3d5b 100644 --- a/.github/workflows/measure-all-cases.yml +++ b/.github/workflows/measure-all-cases.yml @@ -12,6 +12,9 @@ on: default: "2021-10-01" required: true +permissions: + contents: read + jobs: bench: strategy: diff --git a/.github/workflows/measure-date.yml b/.github/workflows/measure-date.yml index b464c61fbb..c87ceb4728 100644 --- a/.github/workflows/measure-date.yml +++ b/.github/workflows/measure-date.yml @@ -7,6 +7,9 @@ on: description: "Date to measure (yyyy-mm-dd)" default: "2021-01-01" required: true +permissions: + contents: read + jobs: bench: strategy: diff --git a/.github/workflows/measure-historic.yml b/.github/workflows/measure-historic.yml index 98ed2847a1..fa14aebae0 100644 --- a/.github/workflows/measure-historic.yml +++ b/.github/workflows/measure-historic.yml @@ -11,6 +11,9 @@ on: description: "Scenario to measure" default: "development-build" required: true +permissions: + contents: read + jobs: bench: strategy: