File: .github/workflows/ci.yml, .github/workflows/deploy.yml, .github/workflows/e2e.yml
Severity: security
Obvious? yes
None of the three workflow files declare a top-level or job-level permissions: key. grep -n "permissions:" .github/workflows/*.yml returns zero hits. Without an explicit block the workflow inherits the repository default GITHUB_TOKEN, which is often contents: write and may include other write scopes depending on repo config. Defense-in-depth principle for CI: declare permissions: contents: read at the top of every workflow and grant additional scopes per-job only when needed (e.g., the deploy job pushing artifacts).
Fix: add permissions: { contents: read } at the top of each workflow file; deploy.yml's deploy job can elevate as required.
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
.github/workflows/ci.yml,.github/workflows/deploy.yml,.github/workflows/e2e.ymlSeverity: security
Obvious? yes
None of the three workflow files declare a top-level or job-level
permissions:key.grep -n "permissions:" .github/workflows/*.ymlreturns zero hits. Without an explicit block the workflow inherits the repository default GITHUB_TOKEN, which is oftencontents: writeand may include other write scopes depending on repo config. Defense-in-depth principle for CI: declarepermissions: contents: readat the top of every workflow and grant additional scopes per-job only when needed (e.g., the deploy job pushing artifacts).Fix: add
permissions: { contents: read }at the top of each workflow file; deploy.yml's deploy job can elevate as required.Filed by
/general-audit@6404719(2026-05-03). master: #567.