From 82c090311541d0ee75afe356a7d3dd58845a6a84 Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Wed, 13 May 2026 11:41:41 +0000 Subject: [PATCH] ci: declare least-privilege permissions on the 4 remaining workflows - format-check, link-check, spell-check: contents: read (PR-time read-only checks). - trigger-contribute-site-netlify: permissions: {} (only POSTs to the Netlify build webhook). Signed-off-by: arpitjain099 --- .github/workflows/format-check.yml | 3 +++ .github/workflows/link-check.yml | 3 +++ .github/workflows/spell-check.yml | 3 +++ .github/workflows/trigger-contribute-site-netlify.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/format-check.yml b/.github/workflows/format-check.yml index 0a31794a..25a9d434 100644 --- a/.github/workflows/format-check.yml +++ b/.github/workflows/format-check.yml @@ -3,6 +3,9 @@ name: Format checks on: pull_request: +permissions: + contents: read + jobs: format-check: name: FILE FORMAT diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index bb003298..a3449c66 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -3,6 +3,9 @@ name: Link checks on: pull_request: +permissions: + contents: read + jobs: link-check: name: LINK checking diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml index 71217d81..3a7d882a 100644 --- a/.github/workflows/spell-check.yml +++ b/.github/workflows/spell-check.yml @@ -3,6 +3,9 @@ name: Spelling checks on: pull_request: +permissions: + contents: read + jobs: spelling-check: name: SPELLING check diff --git a/.github/workflows/trigger-contribute-site-netlify.yml b/.github/workflows/trigger-contribute-site-netlify.yml index db819727..9846eff0 100644 --- a/.github/workflows/trigger-contribute-site-netlify.yml +++ b/.github/workflows/trigger-contribute-site-netlify.yml @@ -4,6 +4,9 @@ on: push: branches: [main] +# Only posts to NETLIFY_CONTRIBUTE_SITE_BUILD_HOOK; no GitHub API. +permissions: {} + jobs: trigger: runs-on: ubuntu-latest