From 244843d6f11c8f9614f97268055dc94764844f88 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:44:21 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 6 workflows Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/build-documentation.yml | 3 +++ .github/workflows/build-run-app.yml | 3 +++ .github/workflows/format-check.yml | 3 +++ .github/workflows/mcdc.yml | 3 +++ .github/workflows/static-analysis.yml | 3 +++ .github/workflows/unit-test-coverage.yml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/.github/workflows/build-documentation.yml b/.github/workflows/build-documentation.yml index c0468d3..6308c73 100644 --- a/.github/workflows/build-documentation.yml +++ b/.github/workflows/build-documentation.yml @@ -12,6 +12,9 @@ on: - synchronize workflow_dispatch: +permissions: + contents: read + jobs: build-documentation: name: Build and deploy cFS documents diff --git a/.github/workflows/build-run-app.yml b/.github/workflows/build-run-app.yml index a3b6a58..f71f402 100644 --- a/.github/workflows/build-run-app.yml +++ b/.github/workflows/build-run-app.yml @@ -15,6 +15,9 @@ on: # 9:35 PM UTC every Sunday - cron: '35 21 * * 0' +permissions: + contents: read + jobs: build-run: name: Build and run with startup msg verification diff --git a/.github/workflows/format-check.yml b/.github/workflows/format-check.yml index a47839d..bb03a3a 100644 --- a/.github/workflows/format-check.yml +++ b/.github/workflows/format-check.yml @@ -13,6 +13,9 @@ on: - synchronize workflow_dispatch: +permissions: + contents: read + jobs: format-check: name: Run format check diff --git a/.github/workflows/mcdc.yml b/.github/workflows/mcdc.yml index 2a59a85..cca0ea9 100644 --- a/.github/workflows/mcdc.yml +++ b/.github/workflows/mcdc.yml @@ -12,6 +12,9 @@ on: - synchronize workflow_dispatch: +permissions: + contents: read + jobs: mcdc: name: Run MCDC Analysis diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 85dccf2..8f1159b 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -12,6 +12,9 @@ on: - synchronize workflow_dispatch: +permissions: + contents: read + jobs: static-analysis: name: Static Analysis diff --git a/.github/workflows/unit-test-coverage.yml b/.github/workflows/unit-test-coverage.yml index 6172d6b..9afd714 100644 --- a/.github/workflows/unit-test-coverage.yml +++ b/.github/workflows/unit-test-coverage.yml @@ -15,6 +15,9 @@ on: # 9:25 PM UTC every Sunday - cron: '25 21 * * 0' +permissions: + contents: read + jobs: unit-test-coverage: name: Run unit test and coverage