Skip to content

Commit cb7bf09

Browse files
authored
ci: declare workflow-level contents: read on 2 workflows (#3367)
Pins the default `GITHUB_TOKEN` to `contents: read` on 2 workflows in `.github/workflows/` that don't call a GitHub API beyond the initial checkout. The following files were left implicit because they reference `GITHUB_TOKEN` / use a write-scope action / trigger on `pull_request_target`. Those scopes are best declared by maintainers: `docker-builds.yml`, `lint.yaml`. ## Why CVE-2025-30066 (March 2025 `tj-actions/changed-files` supply-chain compromise) exfiltrated `GITHUB_TOKEN` from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard `Token-Permissions` check. YAML validated locally with `yaml.safe_load` on each touched file. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent a670699 commit cb7bf09

2 files changed

Lines changed: 6 additions & 0 deletions

File tree

.github/workflows/unit_test_cpu.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ concurrency:
1313
group: unit-test${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_number || github.ref }}
1414
cancel-in-progress: true
1515

16+
permissions:
17+
contents: read
18+
1619
jobs:
1720
build-test:
1821
uses: pytorch/test-infra/.github/workflows/linux_job_v2.yml@main

.github/workflows/unit_test_cpu_torchft.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ concurrency:
1515
group: unit-test${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_number || github.ref }}
1616
cancel-in-progress: true
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
build-test:
2023
uses: pytorch/test-infra/.github/workflows/linux_job_v2.yml@main

0 commit comments

Comments
 (0)