Declare contents: read on python-validation and yaml-validation#1176
Open
arpitjain099 wants to merge 1 commit into
Open
Declare contents: read on python-validation and yaml-validation#1176arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
Both workflows only checkout the repo and run lint/test commands locally, so the default GITHUB_TOKEN's scope can be pinned to read-only. Uses the per-job permissions style already in terraform-validation.yml. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
requested review from
alyssa1303,
anson627,
liyu-ma,
sumanthreddy29,
vittoriasalim,
wonderyl and
xinWeiWei24
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces the default GITHUB_TOKEN privileges for two lint-only GitHub Actions workflows by explicitly scoping job permissions to contents: read, aligning them with the existing least-privilege pattern used elsewhere (e.g., terraform-validation.yml).
Changes:
- Set
permissions: contents: readfor theyaml-validationjob. - Set
permissions: contents: readfor thepython-validationjob.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/yaml-validation.yml | Pins the YAML lint job’s token permissions to contents: read. |
| .github/workflows/python-validation.yml | Pins the Python lint/test job’s token permissions to contents: read. |
arpitjain099
force-pushed
the
ci/add-permissions
branch
from
9112968 to
44cdfba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two lint-only workflows currently rely on the default
GITHUB_TOKENscope, which can include write access to several scopes depending on org/repo defaults. This PR pins both jobs tocontents: read, matching the per-job permissions style already used interraform-validation.yml.python-validation.yml: only runs pylint + pytest on changed files.yaml-validation.yml: only runsyamllint.Neither touches issues, PRs, releases, packages, or pages, so
contents: readis sufficient. Validated byyaml.safe_loadon each edited file.