From 85d5a1852215df8d97c1f4cb11e3d59cd791e28f Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sun, 24 May 2026 11:30:31 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 3 PR-validation workflows changed_files, cross-version-links, validate-branch-existence are PR-validation workflows that only read the PR diff. No GitHub API writes. contents: read at workflow level is appropriate. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/changed_files.yml | 3 +++ .github/workflows/cross-version-links.yml | 3 +++ .github/workflows/validate-branch-existence.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/changed_files.yml b/.github/workflows/changed_files.yml index 18963c60d62..3b74f1696e0 100644 --- a/.github/workflows/changed_files.yml +++ b/.github/workflows/changed_files.yml @@ -3,6 +3,9 @@ name: List files changed as GitHub comment on: pull_request +permissions: + contents: read + jobs: list-files-changed: if: github.event.pull_request.head.repo.full_name == github.repository diff --git a/.github/workflows/cross-version-links.yml b/.github/workflows/cross-version-links.yml index 3a10e067f37..ac0cb82b42a 100644 --- a/.github/workflows/cross-version-links.yml +++ b/.github/workflows/cross-version-links.yml @@ -7,6 +7,9 @@ on: - 'src/current/**/*.md' - 'src/current/_includes/**/*.md' +permissions: + contents: read + jobs: check-cross-version-links: name: Check for cross-version links diff --git a/.github/workflows/validate-branch-existence.yml b/.github/workflows/validate-branch-existence.yml index abaadd47566..3bc764b3f0d 100644 --- a/.github/workflows/validate-branch-existence.yml +++ b/.github/workflows/validate-branch-existence.yml @@ -15,6 +15,9 @@ on: - cron: '0 7 * * *' workflow_dispatch: +permissions: + contents: read + jobs: validate-branch-existence: name: Check crdb_branch_name entries against generated-diagrams