Skip to content

ci(lint): cap GITHUB_TOKEN to contents: read#524

Open
arpitjain099 wants to merge 1 commit into
envoyproxy:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci(lint): cap GITHUB_TOKEN to contents: read#524
arpitjain099 wants to merge 1 commit into
envoyproxy:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

The lint workflow only runs lint checks. No GitHub API writes, so workflow-level contents: read is the right cap for the default GITHUB_TOKEN.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

lint workflow only runs lint checks; no GitHub API writes. contents: read at workflow level is appropriate.

Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 25, 2026 03:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant