Commit 35c6c4a
ci: set least-privilege workflow permissions (#555)
Add a top-level deny-all permissions block to qc.yml and codeql.yml, and
grant the QC job only contents: read. qc.yml previously set no permissions,
so it inherited the repository default token scope (code scanning alert #6,
CWE-275). codeql.yml already scoped its job permissions; this adds the
matching top-level default.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 80e6c12 commit 35c6c4a
2 files changed
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
12 | 15 | | |
13 | 16 | | |
14 | 17 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
16 | 19 | | |
17 | 20 | | |
18 | 21 | | |
19 | 22 | | |
20 | 23 | | |
21 | 24 | | |
22 | 25 | | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
23 | 29 | | |
24 | 30 | | |
25 | 31 | | |
| |||
0 commit comments