From b12c7ddd468766ba326e0bbfaa957aef966af2da Mon Sep 17 00:00:00 2001 From: Rick Newton-Rogers Date: Thu, 30 Oct 2025 15:47:48 +0000 Subject: [PATCH 1/2] Add explicit read permissions to workflows Motivation: * More secure GitHub Actions workflows Modifications: Add explicit 'contents: read' permissions to workflows that did not have explicit permissions defined. This follows GitHub Actions security best practices by limiting the default GITHUB_TOKEN permissions. Result: An extra layer of security. --- .github/workflows/main.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ .github/workflows/pull_request_label.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 42c74a7ce..82bb95733 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,8 @@ name: Main +permissions: + contents: read + on: push: branches: [main] diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4efd046b0..a92ed01f3 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,5 +1,8 @@ name: PR +permissions: + contents: read + on: pull_request: types: [opened, reopened, synchronize] diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml index 8fd47c13f..d2da2f1ac 100644 --- a/.github/workflows/pull_request_label.yml +++ b/.github/workflows/pull_request_label.yml @@ -1,5 +1,8 @@ name: PR label +permissions: + contents: read + on: pull_request: types: [labeled, unlabeled, opened, reopened, synchronize] From e022ef33d9ea88c717819fd7c787ff77fa7325f4 Mon Sep 17 00:00:00 2001 From: Rick Newton-Rogers Date: Thu, 30 Oct 2025 16:35:05 +0000 Subject: [PATCH 2/2] yamllint --- .github/workflows/main.yml | 2 +- .github/workflows/pull_request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 82bb95733..d2fdc3809 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,7 +1,7 @@ name: Main permissions: - contents: read + contents: read on: push: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a92ed01f3..7423cd3b2 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,7 +1,7 @@ name: PR permissions: - contents: read + contents: read on: pull_request: