Skip to content

ci: declare workflow-level contents: read on 4 check workflows#2743

Closed
arpitjain099 wants to merge 1 commit into
nasa:devfrom
arpitjain099:chore/declare-workflow-perms
Closed

ci: declare workflow-level contents: read on 4 check workflows#2743
arpitjain099 wants to merge 1 commit into
nasa:devfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

Four lint/analysis workflows (format-check, codeql-build, static-analysis, mcdc) just run pure checks. No GitHub API writes from the workflows, so workflow-level contents: read is the right cap.

Note: codeql-build writes via security-events: write on the analyze job, so I left that job-level permissions alone (this PR only adds the workflow-level cap, jobs can still override upward where they need to).

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

Four lint/analysis workflows (format-check, codeql-build, static-analysis, mcdc) run pure checks. No GitHub API writes from the workflows. Workflow-level contents: read is the right cap.

Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099

Copy link
Copy Markdown
Author

Closing in favor of #2730 to avoid duplicate/overlapping permissions PRs in this repo. The extra workflow this PR touched needs write scopes (CodeQL, auto-update, or a user/issue responder), so it should not get a blanket contents: read; I am leaving that to the maintainers. #2730 hardens the read-only workflows here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants