Skip to content

ci: set minimum token permissions on tests#14

Open
arpitjain099 wants to merge 1 commit into
scipy:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: set minimum token permissions on tests#14
arpitjain099 wants to merge 1 commit into
scipy:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

This adds an explicit permissions: block to the tests workflow so the GitHub-issued token for runs of tests.yml is granted only the scopes the job actually uses.

The change is permissions: contents: read at the top level. The workflow checks out the repo and runs its declared steps; there is no git push, no gh release create, no comment-on-PR action, no API write. contents: read is therefore the minimum sufficient scope.

Why bother for a workflow that looks innocuous: the worry is not what this workflow does today, it is what an action used inside it might be coerced into doing tomorrow if a third-party dependency in the action chain is compromised. The CVE-2025-30066 (tj-actions/changed-files, March 2025) incident is the canonical recent example. Without an explicit permissions: block, the run inherits the repository-default token scope, which is permissive on many older repos.

Aligns with GitHub's own token-hardening guidance and OpenSSF Scorecard (Token-Permissions). Standalone diff, no behavior change, YAML re-parses with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant