From 69457e8f8138e7e1b1e9e8a6cc88af40f55cb41b Mon Sep 17 00:00:00 2001 From: Arne Huang <9079232+arnehuang@users.noreply.github.com> Date: Sat, 9 May 2026 10:00:28 -0700 Subject: [PATCH] Add empty permissions block at workflow level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Caps GITHUB_TOKEN's blast radius. None of these workflows need any GitHub API write scope — they only push to Docker Hub — so the safest default is permissions: {}, matching the posture used by AsamK/signal-cli. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 2 ++ .github/workflows/release-dev-version.yml | 4 +++- .github/workflows/release-productive-version.yml | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba197bc..8d17df5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,8 @@ on: branches: - '**' #every branch +permissions: {} + jobs: setup: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release-dev-version.yml b/.github/workflows/release-dev-version.yml index b2d59cd..8db6a49 100644 --- a/.github/workflows/release-dev-version.yml +++ b/.github/workflows/release-dev-version.yml @@ -4,9 +4,11 @@ on: workflow_dispatch: inputs: version: - description: 'Version' + description: 'Version' required: true +permissions: {} + jobs: setup: diff --git a/.github/workflows/release-productive-version.yml b/.github/workflows/release-productive-version.yml index dc0a491..bd6bf6f 100644 --- a/.github/workflows/release-productive-version.yml +++ b/.github/workflows/release-productive-version.yml @@ -4,9 +4,11 @@ on: workflow_dispatch: inputs: version: - description: 'Version' + description: 'Version' required: true +permissions: {} + jobs: setup: