From 412490e2f56e3bf072e9f36283e31c501ee89cdd Mon Sep 17 00:00:00 2001
From: RAprogramm <andrey.rozanov.vl@gmail.com>
Date: Sun, 19 Oct 2025 08:31:07 +0700
Subject: [PATCH] #23 fix: add explicit permissions to all CI workflow jobs

- Add permissions block to all 9 jobs in ci.yml
- Implement principle of least privilege
- Fix all CodeQL security warnings

Jobs with contents: read only:
- format, reuse, audit

Jobs with contents: read + actions: write:
- clippy, test, coverage, docs, build, benchmark
  (require actions: write for Swatinem/rust-cache@v2)

Benefits:
- Fixes 9 CodeQL security warnings
- Follows GitHub Actions security best practices
- Explicitly declares minimal required permissions
- Professional security posture
---
 .github/workflows/ci.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b263f15..0a03518 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,6 +18,8 @@ jobs:
   format:
     name: Format
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -33,6 +35,9 @@ jobs:
     name: Clippy
     runs-on: ubuntu-latest
     needs: format
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
 
@@ -51,6 +56,8 @@ jobs:
     name: REUSE Compliance
     runs-on: ubuntu-latest
     needs: clippy
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -61,6 +68,8 @@ jobs:
     name: Security Audit
     runs-on: ubuntu-latest
     needs: reuse
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -86,6 +95,9 @@ jobs:
     name: Test
     runs-on: ${{ matrix.os }}
     needs: audit
+    permissions:
+      contents: read
+      actions: write
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -138,6 +150,9 @@ jobs:
     name: Coverage
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
 
@@ -165,6 +180,9 @@ jobs:
     name: Documentation
     runs-on: ubuntu-latest
     needs: format
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
 
@@ -181,6 +199,9 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     needs: format
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
 
@@ -197,6 +218,9 @@ jobs:
     name: Benchmark
     runs-on: ubuntu-latest
     needs: format
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4