Skip to content

fix(ci): Add default permissions to build-binaries workflow #1327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
justin-layerv merged 1 commit into from
Jan 7, 2026
Merged

fix(ci): Add default permissions to build-binaries workflow #1327

justin-layerv merged 1 commit into from
Jan 7, 2026

Conversation

@justin-layerv
Copy link
Contributor

@justin-layerv justin-layerv commented Jan 3, 2026
edited
Loading

Summary

Adds top-level permissions: contents: read to the build-binaries workflow to restrict GITHUB_TOKEN permissions by default.

Jobs that need write access (latest-release, release) already have explicit permissions blocks that override this default.

CodeQL Alerts Fixed

Test plan

  • Verify CI passes
  • Verify CodeQL alerts are resolved after merge

🤖 Generated with Claude Code

@justin-layerv justin-layerv self-assigned this Jan 3, 2026
@craftleon craftleon force-pushed the fix/workflow-permissions-build branch from 1407d1b to 1bec722 Compare January 6, 2026 08:24
@justin-layerv
Copy link
Contributor Author

justin-layerv commented Jan 6, 2026

This PR has unsigned commits and cannot be merged due to GPG signature requirements.

To fix this, please either:

  1. Enable "Allow edits from maintainers" on this PR so we can sign the commits for you
  2. Or sign the commits yourself with GPG and force push

To sign commits locally:

git rebase origin/main --exec "git commit --amend --no-edit -S"
git push --force

@justin-layerv @claude
fix(ci): Add default permissions to build-binaries workflow
32cc9b3 
Adds top-level `permissions: contents: read` to restrict GITHUB_TOKEN
permissions by default. Jobs that need write access (latest-release,
release) already have explicit permissions blocks.

Fixes CodeQL alerts #9 and #10.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@justin-layerv justin-layerv force-pushed the fix/workflow-permissions-build branch from 1bec722 to 32cc9b3 Compare January 6, 2026 22:44
@justin-layerv justin-layerv merged commit 8d90359 into main Jan 7, 2026
10 checks passed
@justin-layerv justin-layerv deleted the fix/workflow-permissions-build branch January 7, 2026 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@craftleon craftleon craftleon approved these changes

Assignees

@justin-layerv justin-layerv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@justin-layerv @craftleon