From 4b10d97a81bb6f6ed0e753818ee939c868f6bf83 Mon Sep 17 00:00:00 2001 From: Andrey Markelov Date: Wed, 15 Jul 2026 16:08:23 -0700 Subject: [PATCH] CI: run on push to main and set least-privilege GITHUB_TOKEN permissions Add a push trigger on main so the full CI matrix (lint, unit, integration) re-runs on merge, matching dropbox-sdk-dotnet; previously ci.yml only ran on pull_request, so main could break undetected. Also add a top-level `permissions: contents: read` to ci.yml, coverage.yml, and spec_update.yml to satisfy the CodeQL missing-workflow-permissions alert. Jobs that need OIDC keep their job-level id-token: write override; spec_update creates PRs via the SPEC_UPDATE_TOKEN PAT, not GITHUB_TOKEN. --- .github/workflows/ci.yml | 6 ++++++ .github/workflows/coverage.yml | 3 +++ .github/workflows/spec_update.yml | 3 +++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1f97f9..67d09f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,13 @@ name: CI on: + push: + branches: + - main pull_request: +permissions: # least privilege; jobs needing OIDC override this + contents: read + jobs: CI: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index c73a9fe..42af1ac 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -7,6 +7,9 @@ on: schedule: - cron: 0 0 * * * +permissions: # least privilege; jobs needing OIDC override this + contents: read + jobs: Coverage: runs-on: ubuntu-latest diff --git a/.github/workflows/spec_update.yml b/.github/workflows/spec_update.yml index 17ae5aa..63c10d9 100644 --- a/.github/workflows/spec_update.yml +++ b/.github/workflows/spec_update.yml @@ -4,6 +4,9 @@ on: repository_dispatch: types: [spec_update] +permissions: # least privilege; PR creation uses the SPEC_UPDATE_TOKEN PAT + contents: read + jobs: Update: runs-on: ubuntu-latest