fix(ci): add missing workflow permissions to resolve security alerts (#646)

Co-authored-by: Claude <noreply@anthropic.com>
2025-08-08 16:12:57 +08:00 · 2025-08-08 16:12:57 +08:00 · a21e41b89d
parent 7697b6fb47
commit a21e41b89d
6 changed files with 20 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -11,6 +11,10 @@ on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

+permissions:
+  contents: read
+  actions: read
+
 jobs:
  setup:
    strategy:
--- a/.github/workflows/ci@main.yml
+++ b/.github/workflows/ci@main.yml
@ -12,6 +12,10 @@ on:
      - 'rush.json'
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
  build:
    strategy:
--- a/.github/workflows/common-pr-checks.yml
+++ b/.github/workflows/common-pr-checks.yml
@ -9,6 +9,9 @@ on:
      - 'rush.json'
    types: [opened, edited, synchronize, reopened]

+permissions:
+  contents: read
+
 jobs:
  common-checks:
    name: PR Common Checks
--- a/.github/workflows/idl.yaml
+++ b/.github/workflows/idl.yaml
@ -12,6 +12,9 @@ on:
      - 'idl/**'
      - '.github/workflows/idl.yaml'

+permissions:
+  contents: read
+
 jobs:
  validate-thrift:
    runs-on: ubuntu-latest
--- a/.github/workflows/license-check.yaml
+++ b/.github/workflows/license-check.yaml
@ -7,6 +7,9 @@ on:

  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  license-check:
    name: License Check
--- a/.github/workflows/semantic-pull-request.yaml
+++ b/.github/workflows/semantic-pull-request.yaml
@ -11,6 +11,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
  cancel-in-progress: true

+permissions:
+  pull-requests: read
+
 jobs:
  main:
    name: Check Pull Request Title