Skip to content

Commit d611b71

Browse files
committed
ci: declare workflow-level contents: read on 1 workflows
Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent f34698c commit d611b71

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/ci.nightly.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ concurrency:
1515
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.ref != 'refs/heads/master' || github.run_number }}
1616
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
test-nightly:
2023
# We do not run the full test suite on tags, because we already ran it on master before we made the release.

0 commit comments

Comments
 (0)