Simplify workflow permissions to contents:read only

oschwald · oschwald · commit e727cd665683 · 2025-08-23T20:00:50.000-07:00
Based on review, all workflows can use minimal contents:read permission.
This provides the most restrictive security posture while still allowing
workflows to function properly.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 13 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -2,6 +2,9 @@ name: Go
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -2,6 +2,9 @@ name: golangci-lint
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: lint
