From 15386f6f16a0ece22be3cc36ec19e7997cc39426 Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 13:22:56 -0500 Subject: [PATCH] ci(github): scope workflow GITHUB_TOKEN to contents:read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `tests` workflow had no explicit `permissions:` block, which means the auto-provisioned GITHUB_TOKEN inherits the repository default — typically read+write on contents, issues, pull-requests, and a handful of other surfaces. A compromised dependency, a malicious upstream action, or a workflow-injection foothold via PR-author-controlled input could then push to master, open issues, or close/comment PRs using the workflow token. The test workflow only needs to clone the repo and report status via the default check API — no write surface required. Pin the job-level scope to `contents: read` so any future compromise can do strictly less damage. Matches the GitHub Actions hardening guide's "least-privilege GITHUB_TOKEN" recommendation. Codeberg's Woodpecker runner has a different token model (no auto-provisioned write-capable token; it uses a per-pipeline secret instead), so the .woodpecker.yml side needs no parallel change. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8a3526a..cdc9010 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,6 +8,17 @@ on: pull_request: branches: [master, main] +# Least-privilege GITHUB_TOKEN. Without an explicit permissions +# block the token gets the repository default — usually read+write +# on contents/issues/PRs — which means a compromised dependency or +# action in this workflow could push to master, open issues, or +# manipulate PRs. The test workflow only needs to clone the repo +# and report status, so `contents: read` is the entire required +# scope. Per the GitHub Actions hardening guide: +# https://docs.github.com/actions/security-guides/automatic-token-authentication +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest