ci: add minimum workflow permissions (#106)

jkennedyvz · Posture Fix · web-flow · commit 11834690d9c2 · 2026-03-25T15:59:50.000-07:00
- Add top-level `permissions: contents: read` to all 4 workflow files
- Change release-doctor.yml trigger from `pull_request` to `pull_request_target`
  to prevent secret exfiltration via PR-controlled workflow modifications

Co-authored-by: Posture Fix &lt;posture-fix@langchain.ai&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,9 @@ on:
       - 'stl-preview-head/**'
       - 'stl-preview-base/**'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     timeout-minutes: 15
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -7,6 +7,10 @@ on:
     branches: [main, next]
   schedule:
     - cron: "0 0 * * 0" # Weekly scan on Sunday at midnight
+
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/publish-sonatype.yml b/.github/workflows/publish-sonatype.yml
@@ -8,6 +8,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: publish
diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
@@ -1,10 +1,13 @@
 name: Release Doctor
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   release_doctor:
     name: release doctor
