Merge pull request #56 from netboxlabs/chore/update-release-codeowners

abubnalitic-nbl · web-flow · commit d2ac0b2d3012 · 2025-10-30T14:16:03.000-04:00
Chore/update release codeowners
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# CODEOWNERS - Require review from maintainers for critical files
+/.github/workflows/ @abubnalitic-nbl @ltucker
+/pyproject.toml @abubnalitic-nbl @ltucker
+/.github/CODEOWNERS @abubnalitic-nbl @ltucker
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,16 +1,24 @@
 name: Release
 
+# Global defaults - read-only (least privilege)
 permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+  contents: read
+  issues: read
+  pull-requests: read
 
 on:
   workflow_dispatch:
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release  # Requires manual approval in GitHub settings
+
+    # Job-specific write permissions (least privilege)
+    permissions:
+      contents: write       # Push tags and CHANGELOG
+      issues: write        # Create release issues
+      pull-requests: write # Create release PRs
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
