ci: declare minimum permissions on lint-pr-name workflow#109
Closed
arpitjain099 wants to merge 1 commit into
Closed
ci: declare minimum permissions on lint-pr-name workflow#109arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
The lint-pr-name workflow triggers on pull_request_target, which runs with the default GITHUB_TOKEN scopes for the base repo rather than the read-only scopes used for pull_request from forks. Pinning the token to contents:read + pull-requests:write narrows the blast radius if a referenced third-party action (amannn/action-semantic-pull-request, marocchino/sticky-pull-request-comment) is ever compromised, while preserving the comment-sticky behaviour the job already relies on. This mirrors the style used in pull-requests.yaml (workflow-level permissions block). Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
requested review from
DennisPersson,
andreas-karlsson,
fabriziodemaria,
mfranberg,
nicklasl and
vahidlazio
as code owners
Author
|
Hi @andreas-karlsson, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback. |
Member
|
Thanks for the contribution and for flagging the permissions hardening — we appreciate the security awareness! We'll look into this and handle it internally. For future contributions to this repo, please refer to our contribution guidelines. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
lint-pr-nameworkflow runs onpull_request_target, which means the workflow'sGITHUB_TOKENdefaults to the broader scopes used for pushes to the default branch, not the read-only scope used forpull_requestfrom a fork.This patch pins the token to the minimum it actually needs:
contents: readso the third-party actions can still resolve refs.pull-requests: writesomarocchino/sticky-pull-request-commentcan post (and later delete) the lint-error comment.The two actions invoked here (
amannn/action-semantic-pull-request,marocchino/sticky-pull-request-comment) are third-party, so explicitly capping the token's authority narrows the blast radius if either is ever compromised (cf. CVE-2025-30066 /tj-actions/changed-files).The style matches
pull-requests.yaml, which already declares a workflow-levelpermissions:block.No behavioural change, just a tighter token. Happy to adjust the layout if a per-job block is preferred.