From cf4ba45f9251b113a46f6636da087cb3a9d126a0 Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Fri, 21 Nov 2025 18:47:53 +0000 Subject: [PATCH 1/2] workflows: add document header This is a best practice and yamllint warns about omitting it. --- .github/workflows/lint.yml | 1 + .github/workflows/release.yml | 1 + .github/workflows/test.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 52a9f07..0b08cfe 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,3 +1,4 @@ +--- name: Lint on: push: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 58af3d6..b35a733 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,3 +1,4 @@ +--- name: Release on: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f658b81..9340467 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,3 +1,4 @@ +--- on: [push, pull_request] name: Test jobs: From 3ca5f0e3dcf46c416dbea72976aa225575ee650a Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Fri, 21 Nov 2025 18:50:42 +0000 Subject: [PATCH 2/2] workflows: add permissions block We'd like to run GitHub Actions with the least possible permissions assigned to the token for security reasons. To make this possible, let's add a permissions block to each workflow that lacks one. --- .github/workflows/lint.yml | 3 +++ .github/workflows/test.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0b08cfe..f8cfb4b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,6 +12,9 @@ on: - go.mod - go.sum +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9340467..8efc5ea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,8 @@ --- on: [push, pull_request] name: Test +permissions: + contents: read jobs: test: strategy: