mirror of
https://github.com/laoxong/nofx.git
synced 2026-06-04 09:58:22 +08:00
tangmengqiu
0168f766de
Add workflow-level default permissions and explicit per-job permissions following the principle of least privilege: Workflow-level (default): - contents: read - Read repository contents - pull-requests: write - Manage PR labels and comments - issues: write - Manage issues (PRs are issues in GitHub API) Job-level overrides: - validate-pr: Inherits workflow defaults (needs issue/PR write access) - backend-tests: Downgrade to read-only (no write operations needed) - frontend-tests: Downgrade to read-only (no write operations needed) - auto-label: Add missing issues:write (labeler operates on PR issues) - security-check: Add security-events:write (upload SARIF results) - secrets-check: Downgrade to read-only (scanning only) - all-checks: Downgrade to read-only (status checking only) This fixes: 1. Potential 403 errors when auto-label tries to add labels to PR issues 2. Missing permission for uploading security scan results 3. Overly permissive access for read-only jobs Related: #282 Co-Authored-By: tinkle-community <tinklefund@gmail.com>