fix: add explicit permissions to workflow files

0x46616c6b · OpenCode · 0x46616c6b · commit 48132891c3a8 · 2026-04-07T14:23:56.000+02:00
Add minimal permissions blocks to all three workflow files to resolve code scanning alerts for missing-workflow-permissions (alerts #3, #12, #14). This follows the principle of least privilege by explicitly declaring only the permissions each workflow needs rather than inheriting the default (potentially overly broad) token permissions. - release.yml: contents: write (create/update draft releases) - auto-merge.yml: contents: read (App token handles merge operations) - cla.yml: contents: write, pull-requests: write, actions: read Co-Authored-By: OpenCode <noreply@opencode.ai>
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -3,6 +3,9 @@ name: Dependabot
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   dependabot:
     name: Auto Merge
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -6,6 +6,11 @@ on:
   pull_request:
     types: [opened, closed, synchronize]
 
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
 jobs:
   CLAssistant:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   update_release_draft:
     name: Update Release
