Skip to content

ci: declare workflow-level contents: read on 2 workflows#421

Closed
arpitjain099 wants to merge 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
Closed

ci: declare workflow-level contents: read on 2 workflows#421
arpitjain099 wants to merge 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 17, 2026

Pins the default GITHUB_TOKEN to contents: read on 2 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 17, 2026
edited
Loading

Deploy Preview for eslint-code-explorer ready!

Name Link
🔨 Latest commit a0eeea7
🔍 Latest deploy log https://app.netlify.com/projects/eslint-code-explorer/deploys/6a1541926e41a00009ded7fd
😎 Deploy Preview https://deploy-preview-421--eslint-code-explorer.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@eslintbot eslintbot added this to Triage May 17, 2026
@github-project-automation github-project-automation Bot moved this to Needs Triage in Triage May 17, 2026
amareshsm
amareshsm reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@amareshsm amareshsm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have one more workflow to update as well add-to-triage Could we apply the same permission restrictions and hardening it too?

Also, there are a few linting issues causing the CI checks to fail. Could you fix those as well?

@arpitjain099
ci: declare workflow-level contents: read on 2 workflows
a0eeea7 
Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-workflow-perms-readonly branch from 79ab530 to a0eeea7 Compare May 26, 2026 06:45
@github-project-automation github-project-automation Bot moved this from Needs Triage to Complete in Triage May 26, 2026
@arpitjain099 arpitjain099 mentioned this pull request May 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amareshsm amareshsm amareshsm left review comments

Assignees

No one assigned

Labels

build

Projects

Triage
Status: Complete

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @amareshsm @eslintbot