Skip to content

Commit 06cdc41

Browse files
committed
ci: declare workflow-level contents: read on 2 workflows
Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent c904736 commit 06cdc41

2 files changed

Lines changed: 7 additions & 0 deletions

File tree

.github/workflows/push.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
branches-ignore:
55
- "dependabot/*"
66
pull_request:
7+
8+
permissions:
9+
contents: read
10+
711
jobs:
812
Python:
913
runs-on: ubuntu-latest

.github/workflows/shellcheck.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
- '.github/workflows/shellcheck.yml'
1212
- '.shellcheckrc'
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
shellcheck:
1619
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)