fix: restrict GitHub Actions workflow token permissions (OSSF least-privilege) (#2662)

Copilot · mikefarah · web-flow · commit 9a0335abb2c6 · 2026-04-13T19:11:10.000+10:00
* Initial plan * fix: add least-privilege token permissions to GitHub workflows (OSSF) Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/1b5db5e2-af78-4289-a6e0-2e972fc68ef1 Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '24 3 * * 1'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -7,12 +7,17 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   publishDocker:
     environment: dockerhub
     env:
       IMAGE_NAME: mikefarah/yq
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
       - 'v4.*'
       - 'draft-*'
 
+permissions: {}
+
 jobs:
   publishGitRelease:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snap-release.yml b/.github/workflows/snap-release.yml
@@ -7,10 +7,14 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
     buildSnap:
       environment: snap
       runs-on: ubuntu-latest
+      permissions:
+        contents: read
       steps:
         - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         - uses: snapcore/action-build@3bdaa03e1ba6bf59a65f84a751d943d549a54e79 # v1.3.0
