From 7b577c0f2f25d94a7587cbb0188165fe5c52a1b8 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 11:18:05 +0100
Subject: [PATCH] =?UTF-8?q?fix(ci):=20repair=20corrupted=20'npermissions:'?=
 =?UTF-8?q?=20blocks=20=E2=80=94=20workflow=20couldn't=20parse?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A security-hardening script (c987edf) tried to add job-level
'permissions: contents: read' but its newline rendered as a literal 'n',
injecting 'npermissions:' at column 0 in 11 places — 4 legitimately job-level
(after runs-on:), 7 bogus (a top-level duplicate after on:, plus blocks inside
step with: bodies). The file no longer parsed as YAML, so ci.yml could not run
at all. Re-indents the 4 job-level blocks to proper 'permissions:' and removes
the 7 bogus ones; keeps the real top-level permissions. Achieves the original
least-privilege intent. YAML now valid (lint/test/build/mirror-to-gitlab).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 30 ++++++++----------------------
 1 file changed, 8 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ba304b7..3a0162b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,8 +5,6 @@ permissions:
 name: CI
 
 on:
-npermissions:
-  contents: read
 
   push:
     branches: [main, master, develop]
@@ -24,8 +22,8 @@ jobs:
   lint:
     name: Lint & Format
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
@@ -35,12 +33,8 @@ npermissions:
         uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ env.ELIXIR_VERSION }}
-npermissions:
-  contents: read
 
           otp-version: ${{ env.OTP_VERSION }}
-npermissions:
-  contents: read
 
 
       - name: Cache deps
@@ -65,8 +59,8 @@ npermissions:
   test:
     name: Test (Elixir ${{ matrix.elixir }} / OTP ${{ matrix.otp }})
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -90,12 +84,8 @@ npermissions:
         uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ matrix.elixir }}
-npermissions:
-  contents: read
 
           otp-version: ${{ matrix.otp }}
-npermissions:
-  contents: read
 
 
       - name: Cache deps
@@ -123,8 +113,8 @@ npermissions:
   build:
     name: Build Release
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    permissions:
+      contents: read
 
     needs: [lint, test]
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
@@ -139,12 +129,8 @@ npermissions:
         uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ env.ELIXIR_VERSION }}
-npermissions:
-  contents: read
 
           otp-version: ${{ env.OTP_VERSION }}
-npermissions:
-  contents: read
 
 
       - name: Cache deps
@@ -170,8 +156,8 @@ npermissions:
   mirror-to-gitlab:
     name: Mirror to GitLab
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    permissions:
+      contents: read
 
     needs: [test]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))