From d51eca3954be3f651c5eb9d6194f4ad1f3f6dcde Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sat, 16 May 2026 09:20:00 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Drops the autofix.yml change from the earlier revision because that workflow uses autofix-ci to push fixes back to the PR head, which needs write scope (per @JounQin review feedback). Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/ci.yml | 3 +++ .github/workflows/pkg-pr-new.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14b9067..a8f0703 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: ci: name: Lint and Test on Node ${{ matrix.node }} (ESLint ${{ matrix.eslint }}) diff --git a/.github/workflows/pkg-pr-new.yml b/.github/workflows/pkg-pr-new.yml index 756c5b5..b2161b1 100644 --- a/.github/workflows/pkg-pr-new.yml +++ b/.github/workflows/pkg-pr-new.yml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest