From 6b39681ad331fd7ceee8c867f69b5e95869c738f Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sun, 31 May 2026 10:15:42 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 1 workflow Declares an explicit workflow-level permissions: contents: read on 1 workflow that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default. Signed-off-by: Arpit Jain --- .github/workflows/changelog.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 6b65dbf0..3ba2b9d6 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -5,6 +5,10 @@ on: paths: - 'CHANGELOG.md' + +permissions: + contents: read + jobs: changelog: uses: cockroachdb/actions/.github/workflows/pr-changelog-check.yml@v0