From e1b82d8f39e727ba0f9f3a05dddf78715b9cfa6e Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sat, 16 May 2026 09:20:37 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 2 workflows Pins the default GITHUB_TOKEN to contents: read on workflows that don't call a GitHub API beyond the initial checkout. Other workflows that need write scopes are left implicit for a maintainer to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/build.yml | 3 +++ .github/workflows/validate-quick-start-module.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f5eec8699c6..c18281fdf491 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,9 @@ on: - site workflow_dispatch: +permissions: + contents: read + jobs: tests: uses: pytorch/test-infra/.github/workflows/linux_job_v2.yml@main diff --git a/.github/workflows/validate-quick-start-module.yml b/.github/workflows/validate-quick-start-module.yml index 2813be181d01..ca843b4a4693 100644 --- a/.github/workflows/validate-quick-start-module.yml +++ b/.github/workflows/validate-quick-start-module.yml @@ -16,6 +16,9 @@ on: - .github/workflows/validate-quick-start-module.yml workflow_dispatch: +permissions: + contents: read + jobs: validate-nightly-binaries: uses: pytorch/test-infra/.github/workflows/validate-binaries.yml@main