Skip to content

ci: declare contents:read on ci.yaml workflow#191

Open
arpitjain099 wants to merge 1 commit into
cockroachdb:masterfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare contents:read on ci.yaml workflow#191
arpitjain099 wants to merge 1 commit into
cockroachdb:masterfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

Adds a workflow-level permissions: contents: read block. The CI job checks out the repo, sets up Go via actions/setup-go, and runs go test / golangci-lint. No GitHub API calls outside the checkout.

The runtime supply-chain threat that justifies the cap is CVE-2025-30066 (the March 2025 tj-actions/changed-files compromise) - a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued. Per-workflow caps bound the runtime authority of every action in the chain regardless of repo or org default, give drift protection if that default ever widens, and register with OpenSSF Scorecard's Token-Permissions check.

YAML validated locally with yaml.safe_load.

@cockroach-teamcity

Copy link
Copy Markdown
Member

This change is Reviewable

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-workflow-perms branch from 82e9ce9 to be3ca56 Compare June 10, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants