Skip to content

Commit 97ef663

Browse files
arpitjain099arpitjain099
committed
ci: declare workflow-level contents: read on the 9 python-N.yml build workflows
Pins the default GITHUB_TOKEN to contents: read on the per-Python- version build workflows. Each runs sphinx-build against the translated rst files and uploads the rendered HTML as a workflow artifact, with no GitHub API mutation. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
1 parent 1413177 commit 97ef663

9 files changed

Lines changed: 27 additions & 0 deletions

File tree

.github/workflows/python-310.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
schedule:
66
- cron: '15 0 * * *'
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
sync:
1013
uses: ./.github/workflows/sync.yml

.github/workflows/python-311.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
schedule:
66
- cron: '0 0 * * *'
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
sync:
1013
uses: ./.github/workflows/sync.yml

.github/workflows/python-312.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
schedule:
66
- cron: '45 23 * * *'
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
sync:
1013
uses: ./.github/workflows/sync.yml

.github/workflows/python-313.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ on:
1313
- main
1414
- '3.13'
1515

16+
permissions:
17+
contents: read
18+
1619
jobs:
1720
sync:
1821
uses: ./.github/workflows/sync.yml

.github/workflows/python-314.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ on:
1313
- main
1414
- '3.14'
1515

16+
permissions:
17+
contents: read
18+
1619
jobs:
1720
sync:
1821
uses: ./.github/workflows/sync.yml

.github/workflows/python-315.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ on:
1313
- main
1414
- '3.15'
1515

16+
permissions:
17+
contents: read
18+
1619
jobs:
1720
sync:
1821
uses: ./.github/workflows/sync.yml

.github/workflows/python-37.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: python-37
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
sync:
811
uses: ./.github/workflows/sync.yml

.github/workflows/python-38.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: python-38
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
sync:
811
uses: ./.github/workflows/sync.yml

.github/workflows/python-39.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: python-39
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
sync:
811
uses: ./.github/workflows/sync.yml

0 commit comments

Comments
 (0)