From 79e4c487db5dd2030a5d16a0e1ecb61552f33978 Mon Sep 17 00:00:00 2001 From: Tom Milewski Date: Tue, 31 Mar 2026 17:57:50 -0400 Subject: [PATCH 1/4] fix(repo): add explicit permissions to e2e-cleanups workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict GITHUB_TOKEN to read-only content access. The workflow only checks out code and runs cleanup scripts — no write permissions needed. Fixes code scanning alert #234 (actions/missing-workflow-permissions). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/e2e-cleanups.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e-cleanups.yml b/.github/workflows/e2e-cleanups.yml index e41d00e8dd2..ccc5bb10e65 100644 --- a/.github/workflows/e2e-cleanups.yml +++ b/.github/workflows/e2e-cleanups.yml @@ -5,6 +5,9 @@ on: # run every 6 hours on every weekday - cron: '0 */6 * * 1-5' +permissions: + contents: read + jobs: integration-tests: name: Cleanup e2e instances From bda894c9ce77c9820d3d9ae7104531146c4825c7 Mon Sep 17 00:00:00 2001 From: Tom Milewski Date: Tue, 31 Mar 2026 17:58:23 -0400 Subject: [PATCH 2/4] fix(repo): add explicit permissions to nightly-checks workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict GITHUB_TOKEN to read-only content access. The workflow only checks out code, builds, runs integration tests, and reports to Slack via webhook — no write permissions needed. Fixes code scanning alert #184 (actions/missing-workflow-permissions). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/nightly-checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/nightly-checks.yml b/.github/workflows/nightly-checks.yml index 9cc8f140649..cd8f74fb018 100644 --- a/.github/workflows/nightly-checks.yml +++ b/.github/workflows/nightly-checks.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 7 * * *" +permissions: + contents: read + jobs: integration-tests: name: Integration Tests From f0c168097aba40e43cdfa81a02c8636ce039ee4a Mon Sep 17 00:00:00 2001 From: Tom Milewski Date: Tue, 31 Mar 2026 17:58:49 -0400 Subject: [PATCH 3/4] fix(repo): add explicit permissions to cache-for-alternate-node-versions job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict GITHUB_TOKEN to read-only content access for this job. It only checks out code and caches node_modules — no write permissions needed. Fixes code scanning alert #225 (actions/missing-workflow-permissions). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bf2bad29a01..26a7d0a5421 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -445,6 +445,9 @@ jobs: timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} continue-on-error: true + permissions: + contents: read + strategy: matrix: version: [22] # NOTE: 18 is cached in the main release workflow From 3eeb8d5ddebc730663cc97f9a73559cbef184e7c Mon Sep 17 00:00:00 2001 From: Tom Milewski Date: Tue, 31 Mar 2026 17:59:22 -0400 Subject: [PATCH 4/4] fix(repo): add persist-credentials: false to snapshot-release checkout Prevent the checked-out PR code from accessing the git credential used to push to the base repository. The snapshot-release job checks out untrusted PR code via issue_comment trigger; this limits credential exposure without changing the existing org-membership security gate. Mitigates code scanning alerts #229, #230, #231 (actions/untrusted-checkout). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 26a7d0a5421..2ee1e11c539 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -297,6 +297,7 @@ jobs: uses: actions/checkout@v4 with: ref: refs/pull/${{ github.event.issue.number }}/head + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: 'blob:none'