Skip to content

Commit 237575d

Browse files
authored
chore(ci): restrict GITHUB_TOKEN to contents: read (#1863)
Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent 0e35767 commit 237575d

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ on:
1616
- .github/workflows/ci.yml
1717
- .github/workflows/remark-lint-problem-matcher.json
1818

19+
permissions:
20+
contents: read
21+
1922
jobs:
2023
lint:
2124
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)