ci: set default permissions for workflows

The default workflow permissions are overly broad; setting permissions explicitly at the workflow level ensures excessive permissions are not unintentionally granted to jobs. For details, see: https://docs.zizmor.sh/audits/#excessive-permissions
2026-04-27 01:34:16 +00:00 · 2026-03-07 10:05:39 -05:00
parent 63844b7904
commit 755087f8ef
20 changed files with 57 additions and 0 deletions
--- a/.github/workflows/response.yml
+++ b/.github/workflows/response.yml
@@ -5,6 +5,8 @@ on:
  workflow_dispatch:
  issue_comment:

+permissions: {}
+
 jobs:
  close:
    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'