From 89571b9bf4ae8fb049929ff937defded544c096d Mon Sep 17 00:00:00 2001
From: "Andrei G." <k05h31@gmail.com>
Date: Fri, 14 Nov 2025 13:22:07 +0100
Subject: [PATCH] fix(ci): add explicit permissions to GitHub Actions workflows

Add permissions blocks to all jobs in CI and release workflows
to follow security best practices. This limits GITHUB_TOKEN
permissions to minimum required for each job:

- contents: read - for jobs that only need to read repository
- actions: write - for jobs that upload artifacts (coverage, build)
- contents: write - for release job that creates GitHub releases

This prevents potential privilege escalation and follows the
principle of least privilege for GitHub Actions.

Fixes 9 CodeQL security scanning alerts.
---
 .github/workflows/ci.yml      | 17 +++++++++++++++++
 .github/workflows/release.yml |  3 +++
 2 files changed, 20 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 86230d6..4d13395 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -63,6 +65,8 @@ jobs:
     name: Security Audit
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -92,6 +96,8 @@ jobs:
     needs: [check]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -149,6 +155,9 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
+      actions: write  # For uploading artifacts
     steps:
       - uses: actions/checkout@v5
 
@@ -199,6 +208,8 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -221,6 +232,8 @@ jobs:
     needs: [check]
     runs-on: ubuntu-latest
     timeout-minutes: 25
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -252,6 +265,8 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     timeout-minutes: 25
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
 
@@ -291,6 +306,8 @@ jobs:
     needs: [check, security, test, coverage, msrv, benchmark]
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
     steps:
       - name: Check all jobs
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 86f3f1e..3125438 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,9 @@ jobs:
     name: Build Release (${{ matrix.target }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
+    permissions:
+      contents: read
+      actions: write  # For uploading artifacts
     strategy:
       fail-fast: false
       matrix: