Skip to content

Commit 1653737

Browse files
committed
ci: declare workflow-level contents: read on 1 workflows
Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent 6d24c65 commit 1653737

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/docgen.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
push:
99
branches: [main]
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
build-docs:
1316
runs-on: linux.g5.4xlarge.nvidia.gpu

0 commit comments

Comments
 (0)