Skip to content

Commit 14bd2fc

Browse files
committed
fix: scope permissions per-job to limit audit token blast radius
The audit job runs npm ci which executes untrusted install scripts. Move permissions from workflow-level to job-level so only the dependency-summary job (which posts PR comments) holds pull-requests: write. Made-with: Cursor
1 parent e1b513d commit 14bd2fc

1 file changed

Lines changed: 9 additions & 4 deletions

File tree

.github/workflows/dependency-validation.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,16 +16,14 @@ concurrency:
1616
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
1717
cancel-in-progress: true
1818

19-
permissions:
20-
contents: read
21-
pull-requests: write
22-
2319
env:
2420
NODE_VERSION: 22.x
2521

2622
jobs:
2723
detect-dirs:
2824
runs-on: ubuntu-latest
25+
permissions:
26+
contents: read
2927
outputs:
3028
dirs: ${{ steps.dirs.outputs.dirs }}
3129
steps:
@@ -57,6 +55,8 @@ jobs:
5755
audit:
5856
needs: detect-dirs
5957
runs-on: ubuntu-latest
58+
permissions:
59+
contents: read
6060
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-audit') && needs.detect-dirs.outputs.dirs != '[]' }}
6161
strategy:
6262
fail-fast: false
@@ -126,6 +126,8 @@ jobs:
126126
127127
override-consistency:
128128
runs-on: ubuntu-latest
129+
permissions:
130+
contents: read
129131
steps:
130132
- uses: actions/checkout@v4
131133

@@ -178,6 +180,9 @@ jobs:
178180
dependency-summary:
179181
needs: detect-dirs
180182
runs-on: ubuntu-latest
183+
permissions:
184+
contents: read
185+
pull-requests: write
181186
steps:
182187
- name: Checkout PR head
183188
uses: actions/checkout@v4

0 commit comments

Comments
 (0)