ci: add explicit least-privilege permissions to workflow

amavashev · amavashev · commit 9743a087f305 · 2026-04-18T21:38:14.000-04:00
CodeQL (actions/missing-workflow-permissions, medium) flagged the
workflow for relying on the repository's default GITHUB_TOKEN scopes,
which can be broader than the workflow needs. Declares
`permissions: contents: read` at the top level (only checkout needs
write — and CI doesn't push). Jobs that need extra scopes (e.g.
PyPI publish with id-token: write) override at the job level.

Part of org-wide CodeQL hygiene sweep — same one-line addition in
cycles-server, cycles-server-admin, cycles-server-events,
cycles-dashboard, cycles-client-python, cycles-spring-boot-starter.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: runcycles/.github/.github/workflows/ci-python.yml@main
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -15,6 +15,10 @@ on:
           - testpypi
           - pypi
 
+# Default least-privilege; publish-* jobs override with id-token: write.
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build distributions
