ci: declare workflow-level contents: read on 2 workflows#1517
Conversation
|
|
|
@arpitjain099 - this looks helpful - can I ask why you opened this PR though? Are you attempting to follow up from Wouldn't this be mitigated by requiring approval for the worklfows to run? |
|
Good questions @steve-the-edwards.
Not that specific advisory directly. The trigger for this batch of PRs across repos was CVE-2025-30066 in March (the
Approval gates help against "new untrusted contributor's PR triggers malicious code on a runner that holds a powerful token" but they don't help against an already-trusted action becoming compromised mid-stream (the tj-actions pattern). Once a workflow is running, the token is whatever scope was granted regardless of who initiated it. The two layers compose: approval-required gates reduce the surface where malicious code reaches a runner, and explicit per-workflow scopes reduce what a compromised runner can do when it gets there. Happy to close if defense-in-depth on top of approval-required isn't the shape you want for this repo. |
|
@arpitjain099 - Thanks for the replies - I will merge this now if you sign the CLA. |
@steve-the-edwards Signed CLA, please merge |
steve-the-edwards
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
931ab38 to
23ad28c
Compare
Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
steve-the-edwards
force-pushed
the
chore/declare-workflow-perms-readonly
branch
from
23ad28c to
6531fd4
Compare
3 participants
Pins the default
GITHUB_TOKENtocontents: readon 2 workflows in.github/workflows/that don't call a GitHub API beyond the initial checkout.Left implicit because they reference
GITHUB_TOKEN/ use a write-scope action / trigger onpull_request_target. Best declared by a maintainer:kotlin.yml.Why
CVE-2025-30066 (March 2025
tj-actions/changed-filessupply-chain compromise) exfiltratedGITHUB_TOKENfrom workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF ScorecardToken-Permissionscheck.YAML validated locally with
yaml.safe_loadon each touched file.