ci: declare workflow-level contents: read on 3 workflows#269
ci: declare workflow-level contents: read on 3 workflows#269arpitjain099 wants to merge 1 commit into
contents: read on 3 workflows#269Conversation
lumirlumir
left a comment
lumirlumir
left a comment
There was a problem hiding this comment.
As mentioned in eslint/rewrite#452 (review), could you take a look at the CI failure?
arpitjain099
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
ce8dc9b to
37f292e
Compare
|
Indent fix (4-space) + rebase on main pushed; same shape as the rewrite#452 fix. Let me know if anything else. |
|
Thanks for the update. I think the CI failure isn’t related to this change, and it also fails on the |
|
Quick read on the CI failure - the failing job ( The fix would live in "pnpm": {
"onlyBuiltDependencies": ["yo"]
}Happy to roll that into this PR if you'd prefer one PR, or leave it as a separate small fix - your call. Other repos in the batch don't hit this since they don't pull in yeoman. |
|
@arpitjain099 Thanks for looking into it. I opened a PR to resolve that issue about five days ago at #270, so let’s wait a bit for that PR to be merged :) |
|
Could you rebase this branch once so that the CI failure is fixed? |
Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
37f292e to
3809c73
Compare
|
Rebased onto main - the CI failure should be cleared now. Thanks @lumirlumir! |
3 participants
Pins the default
GITHUB_TOKENtocontents: readon 3 workflows in.github/workflows/that don't call a GitHub API beyond the initial checkout.Why
CVE-2025-30066 (March 2025
tj-actions/changed-filessupply-chain compromise) exfiltratedGITHUB_TOKENfrom workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF ScorecardToken-Permissionscheck.YAML validated locally with
yaml.safe_loadon each touched file.