From 31984bac0b8109cb2d8e82e75ebd5f242916615a Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sun, 17 May 2026 12:15:27 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/core-build.yml | 3 +++ .github/workflows/it-case-tests.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/core-build.yml b/.github/workflows/core-build.yml index 2dc55f49..eda64709 100644 --- a/.github/workflows/core-build.yml +++ b/.github/workflows/core-build.yml @@ -2,6 +2,9 @@ name: PSC-Java Build on: [pull_request] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/it-case-tests.yml b/.github/workflows/it-case-tests.yml index 3aefa4be..1d254df4 100644 --- a/.github/workflows/it-case-tests.yml +++ b/.github/workflows/it-case-tests.yml @@ -2,6 +2,9 @@ name: ITCase Tests on: [pull_request] +permissions: + contents: read + jobs: build: