Skip to content

ci: declare workflow-level contents: read on 3 workflows#388

Closed
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
Closed

ci: declare workflow-level contents: read on 3 workflows#388
arpitjain099 wants to merge 1 commit into
facebook:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099

Copy link
Copy Markdown
Contributor

Pins the default GITHUB_TOKEN to contents: read on 3 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@meta-cla meta-cla Bot added the cla signed label May 16, 2026
@meta-codesync

meta-codesync Bot commented May 16, 2026

Copy link
Copy Markdown
Contributor

@corporateshark has imported this pull request. If you are a Meta employee, you can view this in D105404806.

@meta-codesync

meta-codesync Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

@corporateshark merged this pull request in 6b5d2b7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

2 participants