fix: add explicit empty permissions to deploy-railway.yml

[msukkari]

Summary

Add permissions: {} at the workflow level in deploy-railway.yml to explicitly deny all GitHub token permissions. This follows the principle of least privilege since the workflow only needs RAILWAY_TOKEN and has no use for GitHub token access.

Problem

The deploy-railway.yml workflow was flagged by CodeQL (actions/missing-workflow-permissions - Alert #27) because it runs without declaring explicit GitHub token permissions. Without an explicit permissions: block, the job inherits the repository's or organization's default token permissions, which may include broad scopes like contents: write and pull-requests: write.

Solution

Added permissions: {} at the workflow level to explicitly deny all GitHub token permissions, reducing the attack surface if the workflow were ever compromised.

References

• GitHub Alert #27
• CodeQL rule: actions/missing-workflow-permissions
• GitHub Docs: Permissions for the GITHUB_TOKEN

Fixes #929

Linear Issue: SOU-929

  

Summary by CodeRabbit

• Chores
  • Enhanced workflow security by implementing explicit permission restrictions on the deployment workflow configuration.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a078559a-ae18-47b5-af73-fc72f5681c5e

📥 Commits

Reviewing files that changed from the base of the PR and between 2c89825 and cdf124a.

📒 Files selected for processing (2)

• .github/workflows/deploy-railway.yml
• CHANGELOG.md

---

Walkthrough

Added explicit empty permissions block to the GitHub Actions workflow file to disable implicit token permissions. Updated the changelog to document this CodeQL security alert fix.

Changes

Cohort / File(s)	Summary
Security Configuration .github/workflows/deploy-railway.yml	Added top-level permissions: {} to explicitly deny all default GitHub token permissions, addressing a CodeQL missing-workflow-permissions alert.
Documentation CHANGELOG.md	Documented the CodeQL alert fix in the Unreleased → Fixed section, referencing the workflow permissions change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-deploy-railway-permissions-ee71

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}