Skip to content

ci: declare workflow-level contents: read on 4 workflows#240

Merged
lumirlumir merged 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
May 19, 2026
Merged

ci: declare workflow-level contents: read on 4 workflows#240
lumirlumir merged 1 commit into
eslint:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown
Contributor

@arpitjain099 arpitjain099 commented May 15, 2026

Pins the default GITHUB_TOKEN to contents: read on 4 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@eslintbot eslintbot added this to Triage May 15, 2026
@github-project-automation github-project-automation Bot moved this to Needs Triage in Triage May 15, 2026
@lumirlumir lumirlumir moved this from Needs Triage to Triaging in Triage May 18, 2026
lumirlumir
lumirlumir requested changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lumirlumir lumirlumir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in eslint/rewrite#452 (review), could you take a look at the CI failure?

@arpitjain099
ci: declare workflow-level contents: read on 4 workflows
a82e55f 
Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-workflow-perms-readonly branch from 3a0f5c8 to a82e55f Compare May 19, 2026 12:09
@arpitjain099
Copy link
Copy Markdown
Contributor Author

arpitjain099 commented May 19, 2026

Re-indented to 4-space + rebased per the rewrite#452 thread. Verify Files and the types check should be green next run.

lumirlumir
lumirlumir approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lumirlumir lumirlumir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@lumirlumir lumirlumir merged commit addda58 into eslint:main May 19, 2026
36 checks passed
@github-project-automation github-project-automation Bot moved this from Triaging to Complete in Triage May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lumirlumir lumirlumir lumirlumir approved these changes

Assignees

No one assigned

Labels

accepted build

Projects

Triage
Status: Complete

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @lumirlumir @eslintbot