CI: set least-privileged GITHUB_TOKEN (permissions: contents: read)

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ name: CI
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
@@ -62,7 +65,7 @@ jobs:
         with:
           dockerfile: Dockerfile
           failure-threshold: error
-          ignore: DL3008,DL3059 
+          ignore: DL3008,DL3059
 
   sanity:
     runs-on: ubuntu-latest
@@ -87,4 +90,3 @@ jobs:
           else
             echo "No YAML files."
           fi
-          

.github/workflows/sync-changelog.yml

@@ -42,4 +42,3 @@ jobs:
             git commit -m "chore: sync CHANGELOG.md from FileRise"
             git push origin main
           fi
-          

docker-compose.yml

@@ -41,4 +41,3 @@ services:
       timeout: 5s
       retries: 3
       start_period: 20s
-