chant audit

local · /Users/alex/Documents/checkouts/intentius/chant/packages/core/src/cli/commands/__fixtures__/audit-repo · 2026-06-17 · 1 file · chant 0.7.0
0 error 3 warning 1 info
3 quick-win 0 needs-review 1 hygiene
3 security 0 correctness 1 best-practice

Quick wins deterministic

Safe mechanical fixes — the diff changes only the flagged lines.

.github/workflows/ci.yml GHA033 Blanket write-all permissions per OSSF Scorecard — Token-Permissions, GitHub — Automatic token authentication
@@ -1,7 +1,8 @@
 name: CI
 on:
   push:
-permissions: write-all
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
Needs a value to auto-patch:
Report-only hygiene — 1
RuleTitleFileDetail
GHA022Job without timeout-minutes.github/workflows/ci.ymlJob "build" does not specify timeout-minutes. Consider adding a timeout to prevent hung workflows.