From b4e65562eb331a87d8272ce359a0969a3bc00759 Mon Sep 17 00:00:00 2001
From: Juha Jeronen <juha.m.jeronen@gmail.com>
Date: Fri, 12 Jun 2026 00:10:34 +0300
Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions

Add top-level `permissions: contents: read` to every workflow. Without
it, jobs inherit the repo-default token scope (often read-write), so a
malicious dependency executing during install/build/test on a push to
the default branch would hold a write-capable token. Read-only by
default denies that; the publish job keeps its own job-level
`id-token: write` block (job-level permissions override the top-level
default), so trusted-publishing is unaffected.

Complements the SHA-pinning: pinning stops untrusted code from running;
this limits what it can do if it runs anyway. Fork-PR tokens are already
forced read-only by GitHub; this closes the push-triggered path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6f5acfd..8e76048 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest