Skip to content

ci: declare workflow-level contents: read on 3 workflows#22366

Open
arpitjain099 wants to merge 1 commit into
rust-lang:masterfrom
arpitjain099:chore/declare-workflow-perms-readonly
Open

ci: declare workflow-level contents: read on 3 workflows#22366
arpitjain099 wants to merge 1 commit into
rust-lang:masterfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 15, 2026

Pins the default GITHUB_TOKEN to contents: read on 3 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

The following files were left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Those scopes are best declared by maintainers: metrics.yaml, rustdoc.yaml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@arpitjain099
ci: declare workflow-level contents: read on 3 workflows
fd2bb35 
Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 15, 2026
lnicola
lnicola reviewed May 15, 2026
View reviewed changes
Comment thread .github/workflows/rustc-pull.yml
- cron: '0 4 * * 1,4'

permissions:
contents: read
Copy link
Copy Markdown
Member

@lnicola lnicola May 15, 2026
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this also needs pull-requests: write

View changes since the review

@lnicola
Copy link
Copy Markdown
Member

lnicola commented May 15, 2026

Feels like this isn't doing much since it doesn't tighten up the permissions for all workflows (in particular, rustdoc.yaml).

@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 15, 2026

Fair point @lnicola. The reason rustdoc.yaml wasn't included here: its Deploy Docs step uses peaceiris/actions-gh-pages@v4 to push to the gh-pages branch with secrets.GITHUB_TOKEN, which requires contents: write. Declaring permissions: contents: read (the shape used in the other workflows in this PR) would break that step.

A clean fix is workflow-level contents: write on rustdoc.yaml, since the build + deploy run as a single job and only the deploy step needs the write. Practically that doesn't change anything (the same write scope is already in use today via the repo default), it just makes it explicit and pinned, which is what the OpenSSF Scorecard Token-Permissions check looks for per-file.

I held off on declaring write scopes here because I'm an external contributor inferring intent from outside, and that's where I prefer maintainers to make the call. But if you'd like me to roll rustdoc.yaml in with workflow-level contents: write to make this PR cover the full directory, happy to push that. Just say the word.

@lnicola
Copy link
Copy Markdown
Member

lnicola commented May 16, 2026

I know it needs to write, but I meant that if another token exfiltration attack comes up, these changes won't help much if we still have a workflow with write permissions since it will be targeted instead.

Practically that doesn't change anything (the same write scope is already in use today via the repo default)

I think the default is write-all? But it might be tighter in the rust-lang org, I'm not sure. So yeah, let's make it explicit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lnicola lnicola lnicola left review comments

Assignees

No one assigned

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @lnicola @rustbot