ci: pin contents: read on mixin, publish, release, ui-ci

[arpitjain099]

Pins the default GITHUB_TOKEN to read-only on the four workflows still inheriting org defaults. All four are read-only from GitHub's perspective:

• mixin.yml — make -C doc/alertmanager-mixin lint.
• publish.yml — main-branch build + Docker Hub / Quay image push using docker_hub_login/docker_hub_password + quay_io_login/quay_io_password.
• release.yml — tag build + image push (same creds), plus a GitHub release via PROMBOT_GITHUB_TOKEN.
• ui-ci.yml — npm run test for the mantine-ui workspace.

No dependency on the default GITHUB_TOKEN for writes. YAML validated locally.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to explicitly restrict workflow-level permissions to read-only for repository contents.
  • Clarified credential handling for publishing and release operations to avoid expanding workflow permissions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 177784f4-4b25-41ff-ba87-a58e315a8396

📥 Commits

Reviewing files that changed from the base of the PR and between 033096f and c79c481.

📒 Files selected for processing (4)

• .github/workflows/mixin.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .github/workflows/ui-ci.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/publish.yml
• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/ui-ci.yml
• .github/workflows/mixin.yml

---

📝 Walkthrough

Walkthrough

Four GitHub Actions workflows now declare top-level permissions blocks setting contents: read. Changes are limited to workflow-level permission declarations and explanatory comments; job steps and CI/publish logic were not modified.

Changes

GitHub Actions Permission Hardening

Layer / File(s)	Summary
Workflow permission restrictions .github/workflows/mixin.yml, .github/workflows/publish.yml, .github/workflows/release.yml, .github/workflows/ui-ci.yml	Added workflow-level permissions: contents: read entries to each workflow. publish.yml and release.yml include comments noting Docker Hub/Quay use their own repository secrets and that GitHub release publishing uses PROMBOT_GITHUB_TOKEN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description clearly explains the rationale and scope of changes across all four workflows, but does not follow the provided template structure with checklist items.	Consider filling out the PR template checklist to indicate whether this is a security change and if documentation updates are needed, even if marking some items as not applicable.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: pin contents: read on mixin, publish, release, ui-ci' accurately summarizes the main change: adding explicit read-only permissions to four GitHub workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}