Add explicit GITHUB_TOKEN permissions to workflow files (#629)

jhamon · web-flow · commit af4c3a5ecc34 · 2026-04-01T16:21:00.000-04:00
## Summary - Adds `permissions: { contents: read }` to 7 workflow files missing explicit permission scoping - Follows principle of least privilege for GITHUB_TOKEN - Resolves code scanning alerts #15, #20, #21, #23, #24, #25, #26, #29, #33, #59, #60, #65, #69, #70, #71 ## Files changed - `testing-dependency-rest.yaml` - `testing-dependency-grpc.yaml` - `testing-dependency-asyncio.yaml` - `testing-dependency.yaml` - `cleanup-nightly.yaml` - `build-and-publish-docs.yaml` - `publish-to-pypi.yaml` ## Test plan - [x] Workflow-only change — adds permissions blocks, no logic changes - [ ] CI checks pass on this PR  --- > [!NOTE] > **Low Risk** > Low risk workflow-only change that tightens default `GITHUB_TOKEN` access; main risk is an unexpected permissions mismatch causing workflow failures (notably PyPI publishing/tag pushes). > > **Overview** > Adds explicit `permissions` blocks to several GitHub Actions workflows to follow least-privilege defaults. > > Most workflows are scoped to `contents: read`, while the PyPI release workflow is explicitly granted `contents: write` to support tagging/pushing during releases. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 49b5bf2. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/workflows/build-and-publish-docs.yaml b/.github/workflows/build-and-publish-docs.yaml
@@ -7,6 +7,9 @@ on:
       SSH_DEPLOY_KEY:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy-documentation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cleanup-nightly.yaml b/.github/workflows/cleanup-nightly.yaml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron:  '5 22 * * *' # 5 minutes after 10pm UTC, every day
 
+permissions:
+  contents: read
+
 jobs:
   cleanup-all:
     name: Cleanup all indexes/collections
diff --git a/.github/workflows/publish-to-pypi.yaml b/.github/workflows/publish-to-pypi.yaml
@@ -34,6 +34,9 @@ on:
         type: string
         default: 'pypi' # options are: pypi, testpypi
 
+permissions:
+  contents: write
+
 jobs:
   pypi:
     timeout-minutes: 30
diff --git a/.github/workflows/testing-dependency-asyncio.yaml b/.github/workflows/testing-dependency-asyncio.yaml
@@ -10,6 +10,9 @@ on:
           required: true
           type: string
 
+permissions:
+  contents: read
+
 jobs:
   dependency-matrix-asyncio-rest:
     name: Deps (Asyncio REST)
diff --git a/.github/workflows/testing-dependency-grpc.yaml b/.github/workflows/testing-dependency-grpc.yaml
@@ -10,6 +10,9 @@ on:
           required: true
           type: string
 
+permissions:
+  contents: read
+
 jobs:
   dependency-matrix-grpc:
     name: GRPC py3.10/py3.10
diff --git a/.github/workflows/testing-dependency-rest.yaml b/.github/workflows/testing-dependency-rest.yaml
@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   dependency-matrix-rest:
     name: Deps (REST)
diff --git a/.github/workflows/testing-dependency.yaml b/.github/workflows/testing-dependency.yaml
@@ -7,6 +7,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   deps-test-setup:
     name: Deps setup
