Dev news

Commit 9f31998e for libheif

commit 9f31998e0f426eeec9ece938baabe6fbf858e042
Author: Alb3e3 <74142887+Alb3e3@users.noreply.github.com>
Date:   Fri Jun 12 00:38:45 2026 +0200

    ci: set least-privilege GITHUB_TOKEN permissions

    Add a workflow-level permissions block granting only `contents: read` to
    all CI/build/test/lint workflows, so the default GITHUB_TOKEN follows
    least privilege instead of inheriting broad write scopes.

    Per maintainer feedback, this uses `contents: read` (the actual scope
    these jobs need) rather than `read-all`, and drops action SHA pinning
    to keep Dependabot-driven action updates reviewable.

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 24349774..e3f7033c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index e399edee..c58358b2 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 2 * * SUN"

+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/clang.yml b/.github/workflows/clang.yml
index 91ca8420..de6fb3b9 100644
--- a/.github/workflows/clang.yml
+++ b/.github/workflows/clang.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 4942c0d6..c8faca01 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ master, coverity ]

+permissions:
+  contents: read
+
 jobs:
   scan:
     # TEMPORARILY DISABLED: scan.coverity.com is down and the download step
diff --git a/.github/workflows/diagram.yml b/.github/workflows/diagram.yml
index 6228761b..f0adedd1 100644
--- a/.github/workflows/diagram.yml
+++ b/.github/workflows/diagram.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   get_data:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/emscripten.yml b/.github/workflows/emscripten.yml
index 5495c76c..38e3adaf 100644
--- a/.github/workflows/emscripten.yml
+++ b/.github/workflows/emscripten.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   emscripten:
     env:
diff --git a/.github/workflows/fuzzer.yml b/.github/workflows/fuzzer.yml
index d9510631..450cd940 100644
--- a/.github/workflows/fuzzer.yml
+++ b/.github/workflows/fuzzer.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   fuzzer:
     env:
diff --git a/.github/workflows/gcc-versions.yml b/.github/workflows/gcc-versions.yml
index 41670cab..b838ac0b 100644
--- a/.github/workflows/gcc-versions.yml
+++ b/.github/workflows/gcc-versions.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:

+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 9621dfdc..ff7846e0 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   libde265:
     strategy:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 62a5e7ac..3cee00fe 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   cpplint:
     env:
diff --git a/.github/workflows/mingw.yml b/.github/workflows/mingw.yml
index c64bc418..b2ad1a97 100644
--- a/.github/workflows/mingw.yml
+++ b/.github/workflows/mingw.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   mingw:
     strategy:
diff --git a/.github/workflows/osx.yml b/.github/workflows/osx.yml
index 25034bb9..132ed58a 100644
--- a/.github/workflows/osx.yml
+++ b/.github/workflows/osx.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 90e67f82..5461a526 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
   test:
     env: