Skip to content

Commit a2218f7

Browse files
security: scope CLA workflow token permissions to job level (#16)
Top-level permissions set to none; the four scopes CLA Assistant Lite requires (actions, contents, pull-requests, statuses) are now granted only to the cla job. Same effective privilege today (single job), but future jobs no longer inherit write access and the workflow follows the least-privilege pattern recommended for pull_request_target. Same change already merged and verified live in gen-fraud-graph#24. No behavior change.
1 parent e6d2823 commit a2218f7

1 file changed

Lines changed: 8 additions & 6 deletions

File tree

.github/workflows/cla.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,17 +16,19 @@ on:
1616
pull_request_target:
1717
types: [opened, closed, synchronize]
1818

19-
# contents: write is required so the bot can commit the signature file back.
20-
permissions:
21-
actions: write
22-
contents: write
23-
pull-requests: write
24-
statuses: write
19+
# contents: write is required so the bot can commit the signature file back;
20+
# all permissions are granted at job level only (top-level default: none).
21+
permissions: {}
2522

2623
jobs:
2724
cla:
2825
name: CLA Assistant
2926
runs-on: ubuntu-latest
27+
permissions:
28+
actions: write
29+
contents: write
30+
pull-requests: write
31+
statuses: write
3032
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
3133
steps:
3234
- name: CLA Assistant

0 commit comments

Comments
 (0)