From bfaae36ad295126a77ed5c0e40a97c0a1987b599 Mon Sep 17 00:00:00 2001 From: "aikido-autofix[bot]" <119856028+aikido-autofix[bot]@users.noreply.github.com> Date: Tue, 7 Jul 2026 03:05:46 +0000 Subject: [PATCH] fix(security): autofix Overly Broad Permissions in GitHub Actions Workflows is risky --- .github/workflows/release.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27aa0a9..ab4498f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,15 +5,16 @@ on: tags: - 'v*' -permissions: - id-token: write # Required for OIDC trusted publishing - contents: write # Required for creating GitHub releases +permissions: {} jobs: publish: # npm provenance publishing only supports GitHub-hosted Actions runners. # Keep this job on ubuntu-latest unless npm adds self-hosted provenance support. runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # Required for OIDC trusted publishing # Workflow-context values are bound to env here and referenced as # shell variables ($TAG/$REPO/$COMMIT_SHA) in run: blocks instead of # `${{ }}` interpolation, so an attacker-controlled tag name cannot be