From a1361b2cb698f764febf888c2b989f5d90563e4c Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Mon, 18 May 2026 09:39:12 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/main.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6622d7b..2cea25a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "0 8,20 * * *" +permissions: + contents: read + jobs: unit-tests: name: Unit tests diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a4147b8..60d979c 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, reopened, synchronize] +permissions: + contents: read + jobs: soundness: name: Soundness