ci: declare workflow-level contents: read on frontend-lint#4118
ci: declare workflow-level contents: read on frontend-lint#4118arpitjain099 wants to merge 1 commit into
Conversation
|
|
|
@arpitjain099 can you please sign ALL your commits? You will need both |
arpitjain099
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
7d0fdae to
7f45550
Compare
|
Done. I rebased the branch onto current |
joanagmaia
changed the title
contents: read on 2 workflowscontents: read on 2 workflows
joanagmaia
changed the title
contents: read on 2 workflowscontents: read on 2 workflows
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 3471d3d. Configure here.
frontend-lint only checks out the repo and lints, so contents: read is sufficient. Dropped the pr-title-lint change: it calls the lfx-ui _pr-title-lint reusable workflow which needs pull-requests access to read PR metadata, so capping the caller to contents: read would break it (per the Bugbot review). Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
3471d3d to
be67523
Compare
|
Good catch by Bugbot, fixed. I dropped the |
arpitjain099
changed the title
contents: read on 2 workflows3 participants
Pins the default
GITHUB_TOKENtocontents: readon 2 workflows in.github/workflows/that don't call a GitHub API beyond the initial checkout.The following files were left implicit because they reference
GITHUB_TOKEN/ use a write-scope action / trigger onpull_request_target. Those scopes are best declared by maintainers:tinybird-ci.yml.Why
CVE-2025-30066 (March 2025
tj-actions/changed-filessupply-chain compromise) exfiltratedGITHUB_TOKENfrom workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF ScorecardToken-Permissionscheck.YAML validated locally with
yaml.safe_loadon each touched file.Note
Low Risk
CI-only permission tightening with no application or runtime behavior changes.
Overview
Adds an explicit workflow-level
permissions: contents: readblock to the Frontend Lint GitHub Actions workflow so the job’sGITHUB_TOKENis limited to read-only repository content (enough for checkout and lint), instead of inheriting broader default scopes.This is a supply-chain / least-privilege hardening step aligned with OpenSSF Scorecard Token-Permissions and post–
changed-filesincident practice; it does not change lint steps or triggers.Reviewed by Cursor Bugbot for commit be67523. Bugbot is set up for automated code reviews on this repo. Configure here.