From 0d3fc87f44ee2d5c9f05feec992d3c51fc7a795b Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sun, 31 May 2026 10:11:49 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 3 workflows Declares an explicit workflow-level permissions: contents: read on 3 workflows that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default. Signed-off-by: Arpit Jain --- .github/workflows/deploy.yml | 4 ++++ .github/workflows/link-check.yml | 4 ++++ .github/workflows/lint.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ba4e2b39827d1..e7b3b101e6a1e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -18,6 +18,10 @@ on: default: 'master' # A workflow run is made up of one or more jobs that can run sequentially or in parallel + +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index d88c8f282fbbd..f4b3a1990c2ee 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -14,6 +14,10 @@ on: - cron: "0 5 * * *" # A workflow run is made up of one or more jobs that can run sequentially or in parallel + +permissions: + contents: read + jobs: # This workflow contains a single job called "build" check: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a89cf69beefcf..c5b5e5116e3cd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,10 @@ name: ❄️ Lint on: [pull_request] + +permissions: + contents: read + jobs: markdownlint: name: 🍇 Markdown