From fbad8e75f24fe0ce19146a22fa6f259c9f12da86 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:46:28 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 3 workflows Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/merge_group.yml | 3 +++ .github/workflows/pypi_build.yml | 3 +++ .github/workflows/test_hosted.yml | 5 ++++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/merge_group.yml b/.github/workflows/merge_group.yml index eb0ab102258..cf324a6f398 100644 --- a/.github/workflows/merge_group.yml +++ b/.github/workflows/merge_group.yml @@ -5,6 +5,9 @@ name: Merge Queue on: merge_group: +permissions: + contents: read + jobs: call-core: uses: ./.github/workflows/suite_core.yml diff --git a/.github/workflows/pypi_build.yml b/.github/workflows/pypi_build.yml index 8740e7cac5c..2b208b95ba4 100644 --- a/.github/workflows/pypi_build.yml +++ b/.github/workflows/pypi_build.yml @@ -25,6 +25,9 @@ on: env: TWINE_PASSWORD: ${{ secrets.PYPI_API_KEY }} +permissions: + contents: read + jobs: pypi-build: runs-on: ubuntu-latest diff --git a/.github/workflows/test_hosted.yml b/.github/workflows/test_hosted.yml index 85b8052647a..8fa077089c8 100644 --- a/.github/workflows/test_hosted.yml +++ b/.github/workflows/test_hosted.yml @@ -7,7 +7,10 @@ on: description: 'SHA to test (optional)' required: false type: string - + +permissions: + contents: read + jobs: explore-linux: runs-on: linux-x86-n2-16