ci: add top-level permissions: contents: read to CI workflow for least-privilege security #154
Description
Description
The CI workflow (.github/workflows/ci.yml) does not set a top-level permissions: block. Without one, all jobs inherit the default GITHUB_TOKEN permissions — which on push events includes write access to contents, packages, deployments, etc.
Proposed fix: Add a top-level permissions: contents: read to restrict the default token to read-only. Since none of the current jobs require elevated permissions, no job-level overrides are needed.
This follows the GitHub-recommended least-privilege principle for workflow tokens.
Jobs affected (gain explicit read-only restriction)
| Job | What it does | Needs write? |
|---|---|---|
test-quality |
actions/checkout + ruff + pyright |
No |
test-all |
actions/checkout + pytest + Codecov upload |
No (Codecov uses its own token) |
test-prototype-integration |
actions/checkout + Streamlit smoke test |
No |
test-docker |
actions/checkout + Docker build + run |
No |
Change required
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
permissions:
contents: read # ← add this line
jobs:
...