ci(workflows): add explicit permissions to all workflows
- agent-verify: add issues: write (was missing, writes comments/labels) - ci: add contents: read (explicit least-privilege) - coverage: add contents: read (explicit least-privilege) All workflows now declare permissions explicitly. Repo default is read-only, so workflows without a block silently lacked write access. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Snider
parent
08226cb365
commit
51c313373c
3 changed files with 9 additions and 0 deletions
3
.github/workflows/agent-verify.yml
vendored
3
.github/workflows/agent-verify.yml
vendored
|
|
@ -5,6 +5,9 @@ on:
|
|||
issues:
|
||||
types: [labeled]
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
jobs:
|
||||
# When work is claimed, track the implementer
|
||||
track-implementer:
|
||||
|
|
|
|||
3
.github/workflows/ci.yml
vendored
3
.github/workflows/ci.yml
vendored
|
|
@ -7,6 +7,9 @@ on:
|
|||
branches: [dev, main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
env:
|
||||
CORE_VERSION: dev
|
||||
|
||||
|
|
|
|||
3
.github/workflows/coverage.yml
vendored
3
.github/workflows/coverage.yml
vendored
|
|
@ -7,6 +7,9 @@ on:
|
|||
branches: [dev, main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
env:
|
||||
CORE_VERSION: dev
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue