fix: add explicit permissions to all GitHub Actions workflows

Zee2413 · Zee2413 · commit 7c12be1be8ba · 2026-03-30T14:10:26.000-04:00
Add top-level permissions blocks to restrict GITHUB_TOKEN scope,
resolving 24 CodeQL code-scanning alerts (actions/missing-workflow-permissions).

Without explicit permissions, workflows get the repo's default token
permissions, which is typically overly broad. This follows the principle
of least privilege — if a compromised action runs, it only has the
minimum access needed.

- action-ci.yml: contents: read
- pr.yml: contents: read
- pre-commit.yml: contents: read
- release.yml: contents: read (jobs needing write already have explicit blocks)
- security_audit.yml: contents: read, security-events: write
- typescript_library.yml: contents: read
diff --git a/.github/workflows/action-ci.yml b/.github/workflows/action-ci.yml
@@ -8,6 +8,8 @@ on:
     paths:
       - "action/**"
       - "action.yml"
+permissions:
+  contents: read
 jobs:
   run-unit-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -13,7 +13,8 @@ on:
 env:
   CARGO_TERM_COLOR: always
   FUZZ_TIME: 420
-
+permissions:
+  contents: read
 jobs:
   build:
     name: Build all crates & run unit tests
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -14,6 +14,8 @@ on:
       - .github/workflows/pre-commit.yml
       - .pre-commit-config.yaml
       - .pre-commit-hooks.yaml
+permissions:
+  contents: read
 jobs:
   run-unit-tests-and-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,7 +19,8 @@ on:
         default: false
 env:
   CARGO_TERM_COLOR: always
-
+permissions:
+  contents: read
 jobs:
   # ---------------------------------------------------------------------------
   # 1. Validate input & run tests
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -2,7 +2,8 @@ name: Security audit
 on:
   schedule:
     - cron: "0 17 * * *"
-
+permissions:
+  contents: read
 jobs:
   audit:
     if: github.repository == 'aws-cloudformation/cloudformation-guard'
diff --git a/.github/workflows/typescript_library.yml b/.github/workflows/typescript_library.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     paths:
       - 'guard/ts-lib/**'
+permissions:
+  contents: read
 jobs:
   run-unit-tests-windows:
     runs-on: windows-latest
