From 80056c7f54dc13bcd6cde30aec3eab5097278827 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 16:00:18 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/frontend-lint.yml | 3 +++ .github/workflows/pr-title-lint.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/frontend-lint.yml b/.github/workflows/frontend-lint.yml index 7e9f9e76e9..4625c1ad71 100644 --- a/.github/workflows/frontend-lint.yml +++ b/.github/workflows/frontend-lint.yml @@ -5,6 +5,9 @@ on: paths: - 'frontend/**' +permissions: + contents: read + jobs: lint-frontend: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml index 04afb9d2ce..285bc6d997 100644 --- a/.github/workflows/pr-title-lint.yml +++ b/.github/workflows/pr-title-lint.yml @@ -9,6 +9,9 @@ on: # Possible values: https://help.github.com/en/actions/reference/events-that-trigger-workflows#pull-request-event-pull_request types: [opened, edited, reopened, synchronize] +permissions: + contents: read + jobs: pr-title-lint: uses: linuxfoundation/lfx-ui/.github/workflows/_pr-title-lint.yml@main \ No newline at end of file