ci: least-privilege permissions for all workflows + harden spellcheck install

.github/workflows/build-android.yml

@@ -17,11 +17,18 @@ on:
     - main
     - dev
 
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
+
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and builds + uploads artifacts (upload-artifact uses its own per-run SAS,
+# not GITHUB_TOKEN). Explicit block satisfies CodeQL rule
+# actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   build:
     runs-on: windows-latest

.github/workflows/build-ios-mac.yml

@@ -20,6 +20,12 @@ on:
   - cron: 0 2 * * 1-5
 
 
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and runs the iOS/macOS build matrix. Explicit block satisfies CodeQL rule
+# actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}

.github/workflows/build-posix-latest.yml

@@ -20,6 +20,12 @@ on:
   - cron: 0 2 * * 1-5
 
 
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and runs the Linux/Mac build matrix. Explicit block satisfies CodeQL rule
+# actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}

.github/workflows/build-ubuntu-2204.yml

@@ -20,6 +20,12 @@ on:
   - cron: 0 2 * * 1-5
 
 
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and runs the Ubuntu 22.04 build. Explicit block satisfies CodeQL rule
+# actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}

.github/workflows/build-windows-vs2022.yaml

@@ -13,6 +13,12 @@ on:
     - main
     - dev
 
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and runs the Visual Studio 2022 build. Explicit block satisfies CodeQL
+# rule actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
 jobs:
   build:
 

.github/workflows/spellcheck.yml

@@ -6,6 +6,12 @@ on:
   pull_request:
     branches: [ master, main ]
 
+# Least-privilege GITHUB_TOKEN scope: misspell only reads .md/.txt files
+# (no PR comments, no status updates, no package writes). Explicit block
+# satisfies CodeQL "actions/missing-workflow-permissions" and keeps the
+# token narrowly scoped if Actions analysis is enabled here later.
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,9 +28,22 @@ jobs:
       continue-on-error: true
 
     - name: install misspell
+      env:
+        # misspell v0.3.4 linux 64-bit tarball SHA256 (from upstream
+        # release checksums.txt). Pinning version + verifying SHA
+        # avoids executing an unpinned bootstrap script from a floating
+        # ref (the prior 'curl https://git.io/misspell | sh' pattern is
+        # a supply-chain risk) and keeps CI reproducible. Bump
+        # deliberately when upstream releases.
+        MISSPELL_VERSION: "0.3.4"
+        MISSPELL_SHA256: "afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5"
       run: |
-        curl -L -o ./install-misspell.sh https://git.io/misspell
-        sh ./install-misspell.sh
+        curl -fsSL -o misspell.tar.gz \
+          "https://github.com/client9/misspell/releases/download/v${MISSPELL_VERSION}/misspell_${MISSPELL_VERSION}_linux_64bit.tar.gz"
+        echo "${MISSPELL_SHA256}  misspell.tar.gz" | sha256sum -c -
+        mkdir -p bin
+        tar -xzf misspell.tar.gz -C bin misspell
+        rm misspell.tar.gz
 
     - name: run misspell
       run: |

.github/workflows/test-win-latest.yml

@@ -20,6 +20,12 @@ on:
   - cron: 0 2 * * 1-5
 
 
+# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source
+# and runs Windows unit/functional tests. Explicit block satisfies CodeQL
+# rule actions/missing-workflow-permissions if Actions analysis is enabled.
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}