ci(workflows): add explicit permissions to all workflows
- agent-verify: add issues: write (was missing, writes comments/labels) - ci: add contents: read (explicit least-privilege) - coverage: add contents: read (explicit least-privilege) All workflows now declare permissions explicitly. Repo default is read-only, so workflows without a block silently lacked write access. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Snider
parent
08226cb365
commit
51c313373c
3 changed files with 9 additions and 0 deletions
3
.github/workflows/agent-verify.yml
vendored
3
.github/workflows/agent-verify.yml
vendored
|
|
@ -5,6 +5,9 @@ on:
|
||||||
issues:
|
issues:
|
||||||
types: [labeled]
|
types: [labeled]
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
issues: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# When work is claimed, track the implementer
|
# When work is claimed, track the implementer
|
||||||
track-implementer:
|
track-implementer:
|
||||||
|
|
|
||||||
3
.github/workflows/ci.yml
vendored
3
.github/workflows/ci.yml
vendored
|
|
@ -7,6 +7,9 @@ on:
|
||||||
branches: [dev, main]
|
branches: [dev, main]
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CORE_VERSION: dev
|
CORE_VERSION: dev
|
||||||
|
|
||||||
|
|
|
||||||
3
.github/workflows/coverage.yml
vendored
3
.github/workflows/coverage.yml
vendored
|
|
@ -7,6 +7,9 @@ on:
|
||||||
branches: [dev, main]
|
branches: [dev, main]
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CORE_VERSION: dev
|
CORE_VERSION: dev
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue