Skip to content

ci: declare workflow-level contents: read on 2 workflows#421

Open
arpitjain099 wants to merge 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
Open

ci: declare workflow-level contents: read on 2 workflows#421
arpitjain099 wants to merge 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 17, 2026

Pins the default GITHUB_TOKEN to contents: read on 2 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@arpitjain099
ci: declare workflow-level contents: read on 2 workflows
79ab530 
Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@netlify
Copy link
Copy Markdown

netlify Bot commented May 17, 2026
edited
Loading

Deploy Preview for eslint-code-explorer ready!

Name Link
🔨 Latest commit 79ab530
🔍 Latest deploy log https://app.netlify.com/projects/eslint-code-explorer/deploys/6a0932579d2bae0007b0dfba
😎 Deploy Preview https://deploy-preview-421--eslint-code-explorer.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@eslintbot eslintbot added this to Triage May 17, 2026
@github-project-automation github-project-automation Bot moved this to Needs Triage in Triage May 17, 2026
amareshsm
amareshsm reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@amareshsm amareshsm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have one more workflow to update as well add-to-triage Could we apply the same permission restrictions and hardening it too?

Also, there are a few linting issues causing the CI checks to fail. Could you fix those as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amareshsm amareshsm amareshsm left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

build

Projects

Triage
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @amareshsm @eslintbot