Files
John Kennedy 5f64369133 ci: add least-privilege permissions to all workflows (#283)
## Summary
- Adds top-level `permissions: contents: read` to all four workflow
files (`ci.yml`, `_lint.yml`, `_test.yml`, `_release.yml`)
- Follows GitHub's [security hardening best
practice](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-the-permissions-key)
of setting restrictive default permissions
- The release workflow already had per-job elevated permissions
(`id-token: write` for trusted publishing, `contents: write` for
tagging) — those are preserved

## Test plan
- [ ] CI lint job passes
- [ ] CI test job passes
- [ ] Verify release workflow still has correct per-job permissions for
publishing and tagging

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 16:37:40 -08:00
..
2025-05-28 16:53:47 -04:00