chore(ci): harden GHA workflows with least-privilege permissions by fzipi · Pull Request #4 · corazawaf/coraza-apache

fzipi · 2026-03-16T18:26:20Z

Summary

Hardens all GitHub Actions workflows with least-privilege permissions following security best practices.

Workflow	Changes
`build.yml`	Set top-level `permissions: {}` (deny-all); added job-level `contents: read`; expanded trigger to explicit `push`/`pull_request` with `branches: [main]`
`package.yml`	Moved `contents: write` + `id-token: write` from top-level to `package` job; added `contents: read` to `install-test` job; set top-level to `permissions: {}`; fixed expression injection by passing `github.event.release.tag_name` through env var
`release.yml`	Moved permissions from top-level to `release-please` job (`contents: write`, `pull-requests: write`); removed unnecessary `issues: write`; set top-level to `permissions: {}`
`stale.yml`	Moved permissions to job-level (`issues: write`, `pull-requests: write`); removed unnecessary `contents: write`; set top-level to `permissions: {}`

chore(ci): harden GHA workflows with least-privilege permissions

40664fd

fzipi merged commit bbaf053 into main Mar 16, 2026
2 checks passed

fzipi deleted the chore/harden-ci branch March 16, 2026 18:30