Add explicit permissions to workflow jobs (CodeQL fixes)

dpark01 · claude · dpark01 · commit 0261125d5660 · 2026-02-03T11:24:07.000-05:00
- Add contents: read permission to paths-filter and get-version jobs
- Add contents: read and packages: read permissions to all test jobs
- Add contents: read permission to docs build job

Fixes CodeQL alerts for missing-workflow-permissions.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -19,6 +19,8 @@ jobs:
   # Determine which paths changed to enable smart test filtering
   paths-filter:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       core: ${{ steps.filter.outputs.core }}
       assemble: ${{ steps.filter.outputs.assemble }}
@@ -76,6 +78,8 @@ jobs:
   # Calculate version from git describe (once, shared by all jobs)
   get-version:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -427,6 +431,9 @@ jobs:
     needs: [paths-filter, get-version, build-core]
     if: needs.paths-filter.outputs.core == 'true' || needs.paths-filter.outputs.docker == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
 
     steps:
       - name: Checkout repository
@@ -493,6 +500,9 @@ jobs:
     needs: [paths-filter, get-version, build-core, build-derivatives]
     if: needs.paths-filter.outputs.assemble == 'true' || needs.paths-filter.outputs.core == 'true' || needs.paths-filter.outputs.docker == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
 
     steps:
       - name: Checkout repository
@@ -567,6 +577,9 @@ jobs:
     needs: [paths-filter, get-version, build-core, build-derivatives]
     if: needs.paths-filter.outputs.classify == 'true' || needs.paths-filter.outputs.core == 'true' || needs.paths-filter.outputs.docker == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
 
     steps:
       - name: Checkout repository
@@ -641,6 +654,9 @@ jobs:
     needs: [paths-filter, get-version, build-core, build-derivatives]
     if: needs.paths-filter.outputs.phylo == 'true' || needs.paths-filter.outputs.core == 'true' || needs.paths-filter.outputs.docker == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
 
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -22,6 +22,8 @@ on:
 jobs:
   build-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
