From 75dd2d8e90e2e4b6ac21466fa3af12c00a59f0e6 Mon Sep 17 00:00:00 2001 From: Priyanshu Choudhary <57816400+Priyanchew@users.noreply.github.com> Date: Tue, 5 May 2026 02:12:42 +0530 Subject: [PATCH] ci(windows): add minimal permissions block to CI workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL flagged the workflow as missing an explicit permissions declaration (security/code-scanning/61). All jobs are read-only (checkout, install, build, test) — contents: read is sufficient. Matches the workflow-level pattern already used in coverage.yml. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4a384f8b..67c7f4af4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Minimal token scope — all jobs only checkout, install, build, and test. +# None of them push code, comment on PRs, or call mutating GitHub APIs. +permissions: + contents: read + jobs: lint: name: Lint