From feb36aa1096786d71ef575a281addd70ecd19803 Mon Sep 17 00:00:00 2001
From: "Arman C. Kizilkale" <arman.kizilkale@clarifai.com>
Date: Tue, 5 May 2026 18:05:55 -0400
Subject: [PATCH 1/2] ci: add least-privilege permissions and pin
 softprops/action-gh-release

Resolves the 5 open CodeQL alerts on the repository:
- Add explicit `permissions:` blocks to all workflow jobs (contents:
  read for build/test/publish-pypi; contents: write for the GitHub
  release job that creates releases).
- Pin softprops/action-gh-release@v1 to its commit SHA.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml              | 6 +++++-
 .github/workflows/run_annotation_tests.yml | 2 ++
 .github/workflows/run_tests.yml            | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f72a001..11e418b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   publish-pypi:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -32,10 +34,12 @@ jobs:
     needs: publish-pypi
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           name: Release ${{ github.ref_name }}
           draft: false
diff --git a/.github/workflows/run_annotation_tests.yml b/.github/workflows/run_annotation_tests.yml
index 7138a35..646c743 100644
--- a/.github/workflows/run_annotation_tests.yml
+++ b/.github/workflows/run_annotation_tests.yml
@@ -13,6 +13,8 @@ jobs:
   annotation-tests:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
index a0400af..d56640c 100644
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -12,6 +12,8 @@ jobs:
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

From 91fd961d2b172a4862ac8efd506eb10c6462d37b Mon Sep 17 00:00:00 2001
From: sanjaychelliah <65780631+sanjaychelliah@users.noreply.github.com>
Date: Wed, 6 May 2026 12:43:02 +0530
Subject: [PATCH 2/2] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/publish.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 11e418b..255790f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -37,7 +37,6 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
       - name: Create Release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with: