From 97ef663d0404aa31f892a07293ae2077ebb335dd Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 07:33:19 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on the 9 python-N.yml build workflows Pins the default GITHUB_TOKEN to contents: read on the per-Python- version build workflows. Each runs sphinx-build against the translated rst files and uploads the rendered HTML as a workflow artifact, with no GitHub API mutation. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/python-310.yml | 3 +++ .github/workflows/python-311.yml | 3 +++ .github/workflows/python-312.yml | 3 +++ .github/workflows/python-313.yml | 3 +++ .github/workflows/python-314.yml | 3 +++ .github/workflows/python-315.yml | 3 +++ .github/workflows/python-37.yml | 3 +++ .github/workflows/python-38.yml | 3 +++ .github/workflows/python-39.yml | 3 +++ 9 files changed, 27 insertions(+) diff --git a/.github/workflows/python-310.yml b/.github/workflows/python-310.yml index 2cb3a2d71..cbafdf361 100644 --- a/.github/workflows/python-310.yml +++ b/.github/workflows/python-310.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '15 0 * * *' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-311.yml b/.github/workflows/python-311.yml index a62785b3d..796facdec 100644 --- a/.github/workflows/python-311.yml +++ b/.github/workflows/python-311.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-312.yml b/.github/workflows/python-312.yml index 2b2b26072..467b4d767 100644 --- a/.github/workflows/python-312.yml +++ b/.github/workflows/python-312.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '45 23 * * *' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-313.yml b/.github/workflows/python-313.yml index 85340a6bd..e54cbeff7 100644 --- a/.github/workflows/python-313.yml +++ b/.github/workflows/python-313.yml @@ -13,6 +13,9 @@ on: - main - '3.13' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-314.yml b/.github/workflows/python-314.yml index d800e9529..4c8e7df0b 100644 --- a/.github/workflows/python-314.yml +++ b/.github/workflows/python-314.yml @@ -13,6 +13,9 @@ on: - main - '3.14' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-315.yml b/.github/workflows/python-315.yml index c1413a42a..fbc68c3b0 100644 --- a/.github/workflows/python-315.yml +++ b/.github/workflows/python-315.yml @@ -13,6 +13,9 @@ on: - main - '3.15' +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-37.yml b/.github/workflows/python-37.yml index 2b1cadd25..38f9b17ba 100644 --- a/.github/workflows/python-37.yml +++ b/.github/workflows/python-37.yml @@ -3,6 +3,9 @@ name: python-37 on: workflow_dispatch: +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-38.yml b/.github/workflows/python-38.yml index 50cc843c1..36cf5533b 100644 --- a/.github/workflows/python-38.yml +++ b/.github/workflows/python-38.yml @@ -3,6 +3,9 @@ name: python-38 on: workflow_dispatch: +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml diff --git a/.github/workflows/python-39.yml b/.github/workflows/python-39.yml index a49ac9dbf..112223c5c 100644 --- a/.github/workflows/python-39.yml +++ b/.github/workflows/python-39.yml @@ -3,6 +3,9 @@ name: python-39 on: workflow_dispatch: +permissions: + contents: read + jobs: sync: uses: ./.github/workflows/sync.yml