From 27f79e7b75fa33d51c151c6c0b9c4b36bdfbfea8 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Mon, 25 May 2026 12:32:30 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on ci and validate Both workflows just run Go test and lint validation. No GitHub API writes from the workflows. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/ci.yml | 3 +++ .github/workflows/validate.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c685fdb5fa..ec4506072f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,9 @@ env: DOCKER_SWARMKIT_USE_CONTAINER: 1 IMAGE_NAME: moby/swarmkit +permissions: + contents: read + jobs: build-dev: runs-on: ubuntu-22.04 diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 080dfa65a9..34a5809a04 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -15,6 +15,9 @@ on: env: DOCKER_SWARMKIT_USE_CONTAINER: 1 +permissions: + contents: read + jobs: validate: runs-on: ubuntu-22.04