Workflow Permissions: 1 issue found

Hekkos found **1** Workflow Permissions configuration issue in this repository.

<sub>This is part of the main [security audit](../issues/14).</sub>

<details open>
<summary><strong>Issue details</strong></summary>

- **Issue 1**: 3 workflow file(s) missing top-level 'permissions' block (follows principle of least privilege): branch.yml, cd.yml, tag.yml

</details>

---

### Why this matters

Restrictive workflow permissions limit what automated workflows can do. This reduces:
- The potential impact if a workflow is compromised or has a bug
- The ability for workflows to make unintended repository changes
- The risk of credential exposure through overly permissive tokens
- The attack surface available to malicious pull requests

---

### How to fix

1. Navigate to **Settings** > **Actions** > **General**
2. Under **Workflow permissions**, select **Read repository contents permission**
3. Uncheck **Allow GitHub Actions to create and approve pull requests** unless required
4. Grant write permissions only to specific workflows using `permissions:` in workflow files

**Documentation:**
- [Automatic token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication)
- [Setting workflow permissions](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Workflow Permissions: 1 issue found #23

Why this matters

How to fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Workflow Permissions: 1 issue found #23

Description

Why this matters

How to fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions