ci: declare contents: read permissions on cifuzz workflow#1194
Merged
Conversation
Member
|
can you combine with #1188 and rebase? |
Member
|
these are repository defaults, so it's essentially a no-op, but there doesn't seem to be an issue in explicitly adding these. |
Contributor
Author
@loosebazooka ok let me update this |
Contributor
Author
|
That's right @loosebazooka - it's intentionally a no-op right now. The benefit is pinning the scope explicitly so it stays correct regardless of future changes to the repo-wide default (defense-in-depth). Thanks for taking a look. |
loosebazooka
previously approved these changes
Jun 4, 2026
loosebazooka
reviewed
Jun 4, 2026
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Contributor
Author
|
Rebased and added the newline. #1188 has since merged, so its gradle-wrapper-validation change is already on |
2336e27 to
ec147e7
Compare
loosebazooka
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a top-level
permissions:block declaringcontents: readon.github/workflows/cifuzz.yaml.The CIFuzz fuzz-testing workflow runs on pull requests and pushes to perform fuzz coverage; it does not push commits, create releases, comment on PRs, or call any GitHub write API.
contents: readis therefore the minimum sufficient token scope.I previously opened a related PR (#1188) for the gradle-wrapper-validation workflow in this repo. This is the same shape applied to the fuzz workflow, kept as a separate PR so each can be reviewed in isolation.
A short list of reasons this is cheap-but-worth-doing:
Token-Permissionscheck flags any workflow that does not declare explicit perms.Validated locally with
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/cifuzz.yaml'))". No other edits.