ci: declare GITHUB_TOKEN scope explicitly for three workflows#40520
Open
arpitjain099 wants to merge 1 commit into
Open
ci: declare GITHUB_TOKEN scope explicitly for three workflows#40520arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
distributions.yml and modern-distributions.yml only check out the repo and run
python validators, so they get contents: read.
winget.yml runs on release: published and forwards a precomputed artifact URL
to wingetcreate using the WINGET_TOKEN secret (an external token). It does not
checkout the repo and does not call any GitHub API endpoint, so it gets
permissions: {} (no scopes needed).
This brings the three workflows in line with the other workflows in this repo
that already declare explicit permissions.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Declares explicit minimal GITHUB_TOKEN permissions in three GitHub Actions workflows to avoid inheriting repository-default token scopes, tightening CI security without changing workflow behavior.
Changes:
- Set
permissions: {}forwinget.yml(noGITHUB_TOKENscopes). - Set
permissions: contents: readfordistributions.ymlandmodern-distributions.yml(sufficient foractions/checkout+ validation scripts). - Normalized YAML formatting around the
on:block indistributions.ymlas part of the mechanical update.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/winget.yml | Explicitly removes all GITHUB_TOKEN permissions for the release-driven WinGet publishing workflow. |
| .github/workflows/modern-distributions.yml | Restricts token scope to contents: read for PR validation of distributions/**. |
| .github/workflows/distributions.yml | Restricts token scope to contents: read for PR validation of distributions/** and cleans up YAML formatting. |
arpitjain099
force-pushed
the
ci/explicit-permissions
branch
from
2f04840 to
c30859a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three workflows in this repo currently leave
GITHUB_TOKENscope implicit (no top-levelpermissions:block), so the token inherits whatever the repository default is. This patch declares the minimum scope each workflow actually needs:distributions.ymlandmodern-distributions.yml— both run onpull_requestagainstdistributions/**and only check out the repo + run a Python validator.contents: readis all they need.winget.yml— runs onrelease: releasedand forwards*.msiasset URLs towingetcreateusing theWINGET_TOKENsecret. It does not check out the repo and does not call any GitHub API endpoint, sopermissions: {}(no scopes at all) is correct here.The change is mechanical — no job steps, no triggers, no conditions move. Files were validated with
python -c "import yaml; yaml.safe_load(...)"before commit.