Merge pull request #334 from github/begonaguereca-patch-1

begonaguereca · web-flow · commit 6f7dffef239c · 2025-06-11T14:54:44.000-07:00
Harden GitHub Actions Workflow Permissions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -85,6 +88,8 @@ jobs:
           path: ${{ runner.temp }}/staging/*
 
   publish:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     needs: build
     if: startsWith(github.ref, 'refs/tags/v')
