From cd9c7ba5421c707396a5ffda0de135176414387a Mon Sep 17 00:00:00 2001
From: Saurabh Jain <saurabhjain1592@gmail.com>
Date: Thu, 30 Apr 2026 00:16:45 +0200
Subject: [PATCH] fix(security): restrict GITHUB_TOKEN to contents:read on
 heartbeat workflow

The heartbeat-real-stack workflow lacked an explicit top-level permissions
block, leaving GITHUB_TOKEN with the repository's default privileges
(potentially read/write across many scopes). This violates the principle
of least privilege (CWE-275: Permission Issues).

The workflow only needs to checkout the repo, set up Python, install the
SDK editable, and run a localhost-only E2E. None of those steps require
write access to any GitHub resource. Locking the token down to
contents: read at workflow scope addresses the code-scanning alert
'actions/missing-workflow-permissions'. Any job that later needs more
can declare its own permissions block at job level.

Resolves the open code-scanning alert on
.github/workflows/heartbeat-real-stack.yml:20.
---
 .github/workflows/heartbeat-real-stack.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/heartbeat-real-stack.yml b/.github/workflows/heartbeat-real-stack.yml
index efad49b..634d433 100644
--- a/.github/workflows/heartbeat-real-stack.yml
+++ b/.github/workflows/heartbeat-real-stack.yml
@@ -15,6 +15,9 @@ on:
 env:
   AXONFLOW_TELEMETRY: 'off'
 
+permissions:
+  contents: read
+
 jobs:
   real-stack:
     name: real-stack ${{ matrix.os }}