Skip to content

fix(ci): drop root contents: write to contents: read (CIS GHA 1.2) #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Cre-eD merged 2 commits into from
May 13, 2026
Merged

fix(ci): drop root contents: write to contents: read (CIS GHA 1.2) #253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
88cbe25
fix(ci): drop root contents: write to contents: read (CIS GHA 1.2)
Cre-eD May 11, 2026
cedfc9c
Merge branch 'main' into fix/workflow-root-perms-tighten
Cre-eD May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/branch-preview.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# Least-privilege root (CIS GHA 1.2). Tag-pushing / deploy jobs grant
# `contents: write` per-job below: `publish-sc-preview` (welder deploy),
# `publish-git-tag` (git push tag), and `finalize` (notify/comment).
permissions:
contents: write
contents: read

jobs:
prepare:
Expand Down Expand Up @@ -276,6 +279,8 @@ jobs:
# Does not need docker-build — SC binary publishing is independent of the Docker image.
# Runs in parallel with publish-git-tag.
needs: [prepare, build-setup, build-platforms, test]
permissions:
contents: write # welder deploy reads release artifacts + updates dist
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down Expand Up @@ -328,6 +333,8 @@ jobs:
# Only needs docker-build — the tag must point to a commit referencing a published Docker image.
# Does not need build-platforms or publish-sc-preview. Runs in parallel with publish-sc-preview.
needs: [prepare, docker-build]
permissions:
contents: write # commits the release branch + pushes the preview tag
# GH_TOKEN must be visible to every step that runs git (checkout, commit,
# push) because `gh auth setup-git` installs `gh auth git-credential` as
# the credential helper — and that helper reads $GH_TOKEN from the
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/branch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ on:
- 'main'
- 'staging'

# Least-privilege root: every job inherits read-only unless it explicitly
# grants more (CIS GHA 1.2). Only `finalize` actually needs `contents: write`
# (sticky comment / notify), and it grants that itself further down.
permissions:
contents: write
contents: read

jobs:
build-setup:
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

# Least-privilege root (CIS GHA 1.2). Only `docker-finalize` (welder
# tag-release + deploy) and `finalize` (notify) need `contents: write`;
# both grant it per-job below.
permissions:
contents: write
contents: read

jobs:
prepare:
Expand Down Expand Up @@ -364,6 +367,8 @@ jobs:
name: Docker finalize (tag-release, deploy)
runs-on: blacksmith-8vcpu-ubuntu-2204
needs: [prepare, build-setup, build-platforms, build-binaries, build-github-actions-staging, test, build-docs, docker-build]
permissions:
contents: write # `welder run tag-release` pushes the release git tag
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
Loading