From 0fd0f4e2499238a5c7e25a954e12130215688987 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:43:56 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/compare.yml | 3 +++ .github/workflows/verify-stability.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/compare.yml b/.github/workflows/compare.yml index ef54b5299b..222ff5269d 100644 --- a/.github/workflows/compare.yml +++ b/.github/workflows/compare.yml @@ -12,6 +12,9 @@ on: default: "webpack@webpack/webpack#master" required: true +permissions: + contents: read + jobs: bench: strategy: diff --git a/.github/workflows/verify-stability.yml b/.github/workflows/verify-stability.yml index d7b1e38d9e..4698929e06 100644 --- a/.github/workflows/verify-stability.yml +++ b/.github/workflows/verify-stability.yml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: basic: strategy: