Skip to content

Commit 96f45c6

Browse files
committed
ci: declare workflow-level contents: read on 2 workflows
Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent e107245 commit 96f45c6

2 files changed

Lines changed: 7 additions & 0 deletions

File tree

.github/workflows/build.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
pull_request:
77
branches:
88
- main
9+
10+
permissions:
11+
contents: read
12+
913
jobs:
1014
build:
1115
runs-on: ubuntu-latest

.github/workflows/gradle-wrapper-validation.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
name: "Validate Gradle Wrapper"
22
on: [push, pull_request]
33

4+
permissions:
5+
contents: read
6+
47
jobs:
58
validation:
69
name: "Validation"

0 commit comments

Comments
 (0)