Skip to content

ci: declare workflow-level contents: read on compile-check and todos-check#17753

Closed
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:chore/declare-workflow-perms
Closed

ci: declare workflow-level contents: read on compile-check and todos-check#17753
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown
Contributor

@arpitjain099 arpitjain099 commented May 25, 2026

Both workflows are PR-time checks (compile sanity, todo comment validation). No GitHub API writes from the workflows. Workflow-level contents: read is the right cap.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

@arpitjain099
ci: declare workflow-level contents: read on compile-check and todos-…
fe36ff8 
…check

Both workflows are PR-time checks (compile sanity, todo comment validation). No GitHub API writes from the workflows.

Post-CVE-2025-30066 hardening shape. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099
Copy link
Copy Markdown
Contributor Author

arpitjain099 commented May 26, 2026

This duplicates #17649 from earlier in the batch. Closing in favor of that one, sorry for the dup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099