Commit cb7bf09
authored
ci: declare workflow-level
Pins the default `GITHUB_TOKEN` to `contents: read` on 2 workflows in
`.github/workflows/` that don't call a GitHub API beyond the initial
checkout.
The following files were left implicit because they reference
`GITHUB_TOKEN` / use a write-scope action / trigger on
`pull_request_target`. Those scopes are best declared by maintainers:
`docker-builds.yml`, `lint.yaml`.
## Why
CVE-2025-30066 (March 2025 `tj-actions/changed-files` supply-chain
compromise) exfiltrated `GITHUB_TOKEN` from workflow logs. Pinning per
workflow caps runtime authority irrespective of the repo or org default,
gives drift protection if the default ever widens, and is credited
per-file by the OpenSSF Scorecard `Token-Permissions` check.
YAML validated locally with `yaml.safe_load` on each touched file.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>contents: read on 2 workflows (#3367)1 parent a670699 commit cb7bf09
2 files changed
Lines changed: 6 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
16 | 19 | | |
17 | 20 | | |
18 | 21 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
18 | 21 | | |
19 | 22 | | |
20 | 23 | | |
| |||
0 commit comments