Commit 14bd2fc
committed
fix: scope permissions per-job to limit audit token blast radius
The audit job runs npm ci which executes untrusted install scripts.
Move permissions from workflow-level to job-level so only the
dependency-summary job (which posts PR comments) holds
pull-requests: write.
Made-with: Cursor1 parent e1b513d commit 14bd2fc
1 file changed
Lines changed: 9 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
20 | | - | |
21 | | - | |
22 | | - | |
23 | 19 | | |
24 | 20 | | |
25 | 21 | | |
26 | 22 | | |
27 | 23 | | |
28 | 24 | | |
| 25 | + | |
| 26 | + | |
29 | 27 | | |
30 | 28 | | |
31 | 29 | | |
| |||
57 | 55 | | |
58 | 56 | | |
59 | 57 | | |
| 58 | + | |
| 59 | + | |
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
| |||
126 | 126 | | |
127 | 127 | | |
128 | 128 | | |
| 129 | + | |
| 130 | + | |
129 | 131 | | |
130 | 132 | | |
131 | 133 | | |
| |||
178 | 180 | | |
179 | 181 | | |
180 | 182 | | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
181 | 186 | | |
182 | 187 | | |
183 | 188 | | |
| |||
0 commit comments