Skip to content

ci: declare least-privilege workflow-level contents: read#150

Open
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare least-privilege workflow-level contents: read#150
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

This PR adds a workflow-level permissions: contents: read to 1 workflow(s) that currently have no permissions: block (and therefore get the default broad read-write token). Each affected workflow was inspected and only reads repository contents; no publish/release/push/comment paths, so the change is non-functional in steady state and just shrinks the blast radius.

GitHub's documented Actions security recommendation. Happy to split per-file or adjust naming if preferred.

Declares an explicit workflow-level permissions: contents: read on 1 workflow that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@meta-cla meta-cla Bot added the CLA Signed label May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

1 participant