From 7eb67709f6906749ec3f755c899c8de440c88402 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 6 May 2026 13:13:07 +0100 Subject: [PATCH 1/2] Tighten up the GitHub Actions workflow permissions. --- .github/workflows/qa.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index dc8f55c..4229eee 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -6,6 +6,8 @@ on: # Allow manually triggering the workflow. workflow_dispatch: +permissions: {} + # Cancels all previous workflow runs for the same branch that have not yet completed. concurrency: # The concurrency group contains the workflow name and the branch name. @@ -18,9 +20,14 @@ jobs: runs-on: "ubuntu-latest" + permissions: + contents: read + steps: - name: "Checkout" - uses: "actions/checkout@v4" + uses: "actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" # v4.3.1 + with: + persist-credentials: false - name: "Search for misspellings" - uses: "crate-ci/typos@v1" + uses: "crate-ci/typos@bbaefadf97b0ec5fdc942684b647f1a6ab250274" # v1.46.0 From 93ad9ef355384e48e05770214b9a07dc85de8976 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 6 May 2026 13:15:28 +0100 Subject: [PATCH 2/2] Docs. --- .github/workflows/qa.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 4229eee..3768b27 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -6,6 +6,8 @@ on: # Allow manually triggering the workflow. workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} # Cancels all previous workflow runs for the same branch that have not yet completed. @@ -21,7 +23,7 @@ jobs: runs-on: "ubuntu-latest" permissions: - contents: read + contents: read # Needed to checkout the repo. steps: - name: "Checkout"