From eebb59bcb1b05dfcfb43500c3a74f493f4359080 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Mon, 25 May 2026 12:36:40 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 3 submission-check workflows Three submission-validation workflows (aggregate-on-push, on_pr, validate-all-prs-on-trigger). No GitHub API writes from the workflows. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/aggregate-on-push.yml | 33 ++++++++++--------- .github/workflows/on_pr.yml | 3 ++ .../workflows/validate-all-prs-on-trigger.yml | 3 ++ 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/workflows/aggregate-on-push.yml b/.github/workflows/aggregate-on-push.yml index ad3f9e6..aae046d 100644 --- a/.github/workflows/aggregate-on-push.yml +++ b/.github/workflows/aggregate-on-push.yml @@ -1,15 +1,18 @@ -name: aggregate-on-push - -on: - push: - branches: - - main - -jobs: - aggregate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: ./.github/actions/aggregate-on-push - with: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} +name: aggregate-on-push + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + aggregate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: ./.github/actions/aggregate-on-push + with: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index b241e6e..a331c12 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -1,5 +1,8 @@ name: Submission PR Review on: pull_request +permissions: + contents: read + jobs: verify: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-all-prs-on-trigger.yml b/.github/workflows/validate-all-prs-on-trigger.yml index eaaf32d..605d29d 100644 --- a/.github/workflows/validate-all-prs-on-trigger.yml +++ b/.github/workflows/validate-all-prs-on-trigger.yml @@ -3,6 +3,9 @@ name: validate-all-prs-on-trigger on: workflow_dispatch +permissions: + contents: read + jobs: validate: runs-on: ubuntu-latest