Skip to content

ci: declare workflow-level contents: read on 1 workflows#1106

Open
arpitjain099 wants to merge 1 commit into
JuliaLang:masterfrom
arpitjain099:chore/declare-workflow-perms-readonly
Open

ci: declare workflow-level contents: read on 1 workflows#1106
arpitjain099 wants to merge 1 commit into
JuliaLang:masterfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099

Copy link
Copy Markdown

Pins the default GITHUB_TOKEN to contents: read on 1 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

The following files were left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Those scopes are best declared by maintainers: CompatHelper.yml, TagBot.yml, ci.yml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@codecov

codecov Bot commented May 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.13%. Comparing base (f34698c) to head (4bf7e4d).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #1106      +/-   ##
==========================================
+ Coverage   85.45%   86.13%   +0.67%     
==========================================
  Files           3        3              
  Lines         832      887      +55     
==========================================
+ Hits          711      764      +53     
- Misses        121      123       +2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@arpitjain099

Copy link
Copy Markdown
Author

Hi maintainers, just a note that the two windows test failures here look pre-existing: master itself has the same windows test runs cancelled/failed across the recent 2026-04-28 push runs. The diff in this PR is 3 lines of permissions: contents: read on ci.yml only, so it shouldn't affect tests. @DilumAluthge has approved.

If there's anything else you'd like me to address, let me know.

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-workflow-perms-readonly branch from d611b71 to 4bf7e4d Compare June 10, 2026 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants