From 255e0a2436f898c49ff3929b3ccc900d997a4c7b Mon Sep 17 00:00:00 2001 From: Marco Eidinger Date: Tue, 26 May 2026 11:09:19 -0700 Subject: [PATCH] [security] Add explicit permissions to GitHub Actions workflows Add explicit GITHUB_TOKEN permissions to comply with security hardening measures for supply chain attack prevention. - ci.yml: Set read-only permissions (contents: read) as the workflow only performs verification tasks - spm-collection.yml: Set write permissions (contents: write, pull-requests: write) required for creating PRs via peter-evans/create-pull-request action This change prepares the repository for the organization-wide switch to read-only default permissions scheduled for 27 May 2026. Reference: CPAWGOSS-1209 --- .github/workflows/ci.yml | 3 +++ .github/workflows/spm-collection.yml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60e8b9b..2ec5d04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: verify-swift-package-binaryTargets: runs-on: ubuntu-latest diff --git a/.github/workflows/spm-collection.yml b/.github/workflows/spm-collection.yml index 2228c70..ddf7e99 100644 --- a/.github/workflows/spm-collection.yml +++ b/.github/workflows/spm-collection.yml @@ -11,6 +11,10 @@ on: required: true default: "true" +permissions: + contents: write + pull-requests: write + jobs: generate-signed-collection: runs-on: macos-12