This PR ensures workflows run with minimal permissions, protecting the project from supply-chain attacks.
The change to codeql.yaml is for consistency and future-proofing: if another job is added to the workflow in the future, it will run with just contents: read instead of write-all.
Fixes #74.
This PR ensures workflows run with minimal permissions, protecting the project from supply-chain attacks.
The change to codeql.yaml is for consistency and future-proofing: if another job is added to the workflow in the future, it will run with just
contents: read
instead ofwrite-all
.