fix: enforce least-privilege permissions on all workflows (#126)

## Summary
- Add top-level `permissions: contents: read` to 6 workflows that were
missing explicit permission declarations (defaulting to overly broad
token scopes)
- Narrow the `permissions: write-all` on the `test-pypi-publish` job in
`_release.yml` to `id-token: write`, which is all trusted PyPI
publishing requires
- `_codespell.yml` already had correct permissions and was left
unchanged

## Test plan
- [ ] Verify CI passes on this PR (lint, test, compile-integration-test
workflows all only need read access)
- [ ] Verify release workflow still works on next release (job-level
`id-token: write` and `contents: write` are preserved where needed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
John Kennedy
2026-02-25 16:37:11 -08:00
committed by GitHub
parent 2204c7ec84
commit 8a05638338
6 changed files with 20 additions and 1 deletions
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
POETRY_VERSION: "2.1.3"
+3
View File
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
POETRY_VERSION: "2.1.3"
WORKDIR: ${{ inputs.working-directory == '' && '.' || inputs.working-directory }}
+5 -1
View File
@@ -14,6 +14,9 @@ on:
type: string
default: "libs/milvus"
permissions:
contents: read
env:
PYTHON_VERSION: "3.11"
POETRY_VERSION: "2.1.3"
@@ -71,7 +74,8 @@ jobs:
needs:
- build
uses: ./.github/workflows/_test_release.yml
permissions: write-all
permissions:
id-token: write
with:
working-directory: ${{ inputs.working-directory }}
secrets: inherit
+3
View File
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
POETRY_VERSION: "2.1.3"
+3
View File
@@ -8,6 +8,9 @@ on:
type: string
description: "From which folder this pipeline executes"
permissions:
contents: read
env:
POETRY_VERSION: "2.1.3"
PYTHON_VERSION: "3.10"
+3
View File
@@ -6,6 +6,9 @@ on:
branches: [main]
pull_request:
permissions:
contents: read
# If another push to the same PR or branch happens while this workflow is still running,
# cancel the earlier run in favor of the next run.
#