Skip to content

ci: declare workflow-level contents: read on 5 workflows#1066

Merged
vvo merged 1 commit into
vercel:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
May 28, 2026
Merged

ci: declare workflow-level contents: read on 5 workflows#1066
vvo merged 1 commit into
vercel:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099

@arpitjain099 arpitjain099 commented May 15, 2026

Copy link
Copy Markdown
Contributor

Pins the default GITHUB_TOKEN to contents: read on 5 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

The following files were left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Those scopes are best declared by maintainers: integration-tests-live.yml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@vercel

vercel Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor

@arpitjain099 is attempting to deploy a commit to the Curated Tests - Permanent E2E Team on Vercel.

A member of the Team first needs to authorize it.

@changeset-bot

changeset-bot Bot commented May 15, 2026
edited
Loading

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 52f4a99

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vvo
vvo approved these changes May 27, 2026
View reviewed changes

@vvo vvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Additive workflow-level contents: read hardening; matches the OpenSSF Scorecard Token-Permissions pattern. Verified each touched workflow only does checkout + build/test/deprecate and makes no GitHub API calls beyond that.

@vvo

vvo commented May 27, 2026

Copy link
Copy Markdown
Member

@arpitjain099 We require signed commits: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits can you do that? thx

@arpitjain099

arpitjain099 commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

@arpitjain099 We require signed commits: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits can you do that? thx

@vvo sure. Let me do it tonight after getting back home.

@arpitjain099
ci: declare workflow-level contents: read on 5 workflows
52f4a99 
Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-workflow-perms-readonly branch from cc1f1c9 to 52f4a99 Compare May 28, 2026 01:33
@arpitjain099

arpitjain099 commented May 28, 2026

Copy link
Copy Markdown
Contributor Author

@vvo done - rebased and re-signed with SSH. Commit should now show as Verified.

@vvo vvo merged commit 312d176 into vercel:main May 28, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvo vvo vvo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @vvo