From fd2bb35a101db65c641e50376d0f948480788735 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:49:03 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 3 workflows Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/coverage.yaml | 3 +++ .github/workflows/fuzz.yml | 3 +++ .github/workflows/rustc-pull.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 55edbbefbaa1..7ee7bc0cd471 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -9,6 +9,9 @@ env: RUST_BACKTRACE: short RUSTUP_MAX_RETRIES: 10 +permissions: + contents: read + jobs: coverage: runs-on: ubuntu-latest diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index af0e03598ecf..6248ffd66d40 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -17,6 +17,9 @@ env: RUSTFLAGS: "-D warnings -W unreachable-pub -W bare-trait-objects" RUSTUP_MAX_RETRIES: 10 +permissions: + contents: read + jobs: rust: if: ${{ github.repository == 'rust-lang/rust-analyzer' || github.event_name == 'workflow_dispatch' }} diff --git a/.github/workflows/rustc-pull.yml b/.github/workflows/rustc-pull.yml index be3362b79bbf..391aa7052c1c 100644 --- a/.github/workflows/rustc-pull.yml +++ b/.github/workflows/rustc-pull.yml @@ -6,6 +6,9 @@ on: # Run at 04:00 UTC every Monday and Thursday - cron: '0 4 * * 1,4' +permissions: + contents: read + jobs: pull: if: github.repository == 'rust-lang/rust-analyzer'