Skip to content

Commit d6e222b

Browse files
authored
ci: declare workflow-level contents: read on 1 workflow (#852)
Declares an explicit workflow-level permissions: contents: read on 1 workflow that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent 24c2e8d commit d6e222b

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

.github/workflows/CI.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
branches:
66
- master
77
tags: '*'
8+
9+
permissions:
10+
contents: read
11+
812
jobs:
913
test:
1014
name: Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }} - ${{ github.event_name }}

0 commit comments

Comments
 (0)