From 2cf262fe675f72d84160d1f4cc30c03d8aa245a9 Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Wed, 29 Apr 2026 19:00:36 -0700 Subject: [PATCH] ci: set least-privilege contents:read permissions on openapi-lint workflow Per CodeRabbit review on #13410. The job only checks out the repo and runs Spectral, so contents:read is sufficient and avoids inheriting any permissive repo/org default token scope. --- .github/workflows/openapi-lint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/openapi-lint.yml b/.github/workflows/openapi-lint.yml index c5e42e998..be949de2a 100644 --- a/.github/workflows/openapi-lint.yml +++ b/.github/workflows/openapi-lint.yml @@ -7,6 +7,9 @@ on: - '.spectral.yaml' - '.github/workflows/openapi-lint.yml' +permissions: + contents: read + jobs: spectral: name: Run Spectral