Files
John Kennedy 8a05638338 fix: enforce least-privilege permissions on all workflows (#126)
## Summary
- Add top-level `permissions: contents: read` to 6 workflows that were
missing explicit permission declarations (defaulting to overly broad
token scopes)
- Narrow the `permissions: write-all` on the `test-pypi-publish` job in
`_release.yml` to `id-token: write`, which is all trusted PyPI
publishing requires
- `_codespell.yml` already had correct permissions and was left
unchanged

## Test plan
- [ ] Verify CI passes on this PR (lint, test, compile-integration-test
workflows all only need read access)
- [ ] Verify release workflow still works on next release (job-level
`id-token: write` and `contents: write` are preserved where needed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 16:37:11 -08:00
..