Problem
The safe-settings-sync workflow has no permissions: block. GitHub grants the org default (potentially read/write on all scopes) even though the workflow only uses App credentials and never touches GITHUB_TOKEN for sync.
Fix
jobs:
sync:
permissions:
contents: read # needed for the two checkout steps onlyThis drops all other tokens (issues, pull-requests, id-token…) to none.
Audit report — section 2b
Problem
The
safe-settings-syncworkflow has nopermissions:block. GitHub grants the org default (potentially read/write on all scopes) even though the workflow only uses App credentials and never touchesGITHUB_TOKENfor sync.Fix
This drops all other tokens (issues, pull-requests, id-token…) to
none.Audit report — section 2b