From e7144fba7079f92ac71408be288e5e96cc8ace62 Mon Sep 17 00:00:00 2001 From: Calin Teodor Date: Sat, 6 Jun 2026 13:06:14 +0300 Subject: [PATCH 1/2] fix(ci): add workflow-level permissions: contents: read on CodeQL (CodeQL #41) --- .github/workflows/codeql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b1df036..40b6dfd6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,11 @@ on: schedule: - cron: "0 6 * * 1" # weekly, Monday 6 AM UTC +# Workflow-level default — least privilege. The analyze job elevates +# security-events to write for the CodeQL upload step. +permissions: + contents: read + jobs: analyze: name: Analyze Go From 9913e562890a5fa084c0edf89e4fef65153687be Mon Sep 17 00:00:00 2001 From: Calin Teodor Date: Sat, 6 Jun 2026 13:06:16 +0300 Subject: [PATCH 2/2] fix(ci): add workflow-level permissions: contents: read on notify-canary (CodeQL #41) --- .github/workflows/notify-canary.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/notify-canary.yml b/.github/workflows/notify-canary.yml index 2852676b..833c5a32 100644 --- a/.github/workflows/notify-canary.yml +++ b/.github/workflows/notify-canary.yml @@ -24,6 +24,11 @@ on: pull_request: branches: ['**'] +# Workflow-level default — least privilege. This workflow only reads +# the repo and dispatches an external event using its own PAT secret. +permissions: + contents: read + jobs: dispatch: runs-on: ubuntu-latest