Skip to content

Commit 9be2bf7

Browse files
committed
ci: declare workflow-level contents: read on 8 e2e/test workflows
Pins the default GITHUB_TOKEN to contents: read on the 8 workflows in .github/workflows/ that don't actually need any write scope: - e2e-kind-create.yaml, e2e-kind-decommission.yaml, e2e-kind-upgrades.yaml, e2e-kind-upgradessha256.yaml, e2e-kind-versionchecker.yaml: kind cluster e2e suites. - nightly-smoketest.yaml: scheduled smoke test. - templates.yaml: template-generation check, no GitHub API. - tests.yaml: unit/integration test matrix. update-crdb-versions.yaml is intentionally left out; it uses peter-evans/create-pull-request which needs contents: write + pull-requests: write. That scope is best declared by maintainers. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent 14a70d3 commit 9be2bf7

8 files changed

Lines changed: 24 additions & 0 deletions

.github/workflows/e2e-kind-create.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
e2e-kind-create:
2932
runs-on: ubuntu-latest-4-core

.github/workflows/e2e-kind-decommission.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
e2e-kind-decommission:
2932
runs-on: ubuntu-latest-4-core

.github/workflows/e2e-kind-upgrades.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
e2e-kind-upgrades:
2932
runs-on: ubuntu-latest-4-core

.github/workflows/e2e-kind-upgradessha256.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
e2e-kind-upgradessha256:
2932
runs-on: ubuntu-latest-4-core

.github/workflows/e2e-kind-versionchecker.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
e2e-kind-versionchecker:
2932
runs-on: ubuntu-latest

.github/workflows/nightly-smoketest.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ on:
2525
# allows running from the actions tab in GitHub
2626
workflow_dispatch: ~
2727

28+
permissions:
29+
contents: read
30+
2831
jobs:
2932
smoketest:
3033
runs-on: ubuntu-latest

.github/workflows/templates.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
templates:
2932
runs-on: ubuntu-latest

.github/workflows/tests.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
# Allows you to run this workflow manually from the Actions tab
2525
workflow_dispatch:
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
tests:
2932
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)