ci: drop default workflow token permissions

The test workflow only needs to evaluate and build repository code. It does not write statuses, labels, comments, or pull request metadata, so keeping GitHub's default token scope is broader than necessary.
2026-06-05 21:02:51 +00:00 · 2026-04-20 16:56:54 -05:00
parent 67f2a145a9
commit 6658732d33
1 changed files with 1 additions and 0 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,7 @@ on:
 concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.run_id }}
  cancel-in-progress: true
+permissions: {}
 jobs:
  changes:
    runs-on: ubuntu-latest