Skip to content

Commit b4565de

Browse files
committed
ci: declare workflow-level contents: read on 3 workflows
Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent cb809fa commit b4565de

3 files changed

Lines changed: 9 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: CI
22

33
on: [push, pull_request]
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
lint:
710
runs-on: ubuntu-latest

.github/workflows/indexing_top_gems.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: Index top 100 gems
22

33
on: [push, pull_request]
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
indexing_top_gems:
710
runs-on: ubuntu-latest

.github/workflows/memleak.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
- "rust/**"
1313
- "ext/**"
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
memleak:
1720
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)