Skip to content

ci: declare least-privilege workflow-level contents: read#1249

Open
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare least-privilege workflow-level contents: read#1249
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

This PR adds a workflow-level permissions: contents: read to 5 workflow(s) that currently have no permissions: block (and therefore get the default broad read-write token). Each affected workflow was inspected and only reads repository contents; no publish/release/push/comment paths, so the change is non-functional in steady state and just shrinks the blast radius.

GitHub's documented Actions security recommendation. Happy to split per-file or adjust naming if preferred.

Declares an explicit workflow-level permissions: contents: read on 5 workflows that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 31, 2026 01:21
@meta-cla meta-cla Bot added the CLA Signed label May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

1 participant