-
由 wwwillchen-bot 提交于
## Summary - Set top-level `permissions: {}` on 7 workflows to restrict default token permissions, moving grants to job level with least-privilege scoping - Pinned CLA Assistant action to commit SHA (`ca4a40a7d...`) instead of mutable tag for supply-chain safety - Mitigated prompt injection in the issue triage workflow by passing issue data via environment variables instead of direct template interpolation, with an explicit security notice ## Test plan - [ ] Verify CLA workflow still posts status comments on PRs (permissions moved to job level) - [ ] Verify issue triage workflow still labels and comments on new issues (env var approach) - [ ] Verify PR review, rebase, bugbot, and closed-issue-comment workflows still trigger correctly with restricted top-level permissions - [ ] Confirm no permission errors in workflow runs🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2928" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> Co-authored-by:Will Chen <willchen90@gmail.com> Co-authored-by:
Claude <noreply@anthropic.com>
