From c30859a14f6c5fbf591b9e35a6027e177101c99c Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 13 May 2026 06:21:23 +0000 Subject: [PATCH] ci: declare GITHUB_TOKEN scope explicitly for three workflows distributions.yml and modern-distributions.yml only check out the repo and run python validators, so they get contents: read. winget.yml runs on release: published and forwards a precomputed artifact URL to wingetcreate using the WINGET_TOKEN secret (an external token). It does not checkout the repo and does not call any GitHub API endpoint, so it gets permissions: {} (no scopes needed). This brings the three workflows in line with the other workflows in this repo that already declare explicit permissions. Signed-off-by: Arpit Jain --- .github/workflows/distributions.yml | 7 +++++-- .github/workflows/modern-distributions.yml | 3 +++ .github/workflows/winget.yml | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/distributions.yml b/.github/workflows/distributions.yml index 62e2a39b9..50d1c7e92 100644 --- a/.github/workflows/distributions.yml +++ b/.github/workflows/distributions.yml @@ -1,9 +1,12 @@ name: Validate distributions -on: - pull_request: +on: + pull_request: paths: ['distributions/**'] +permissions: + contents: read + jobs: check: name: Validate distributions diff --git a/.github/workflows/modern-distributions.yml b/.github/workflows/modern-distributions.yml index 7d6121c6e..ea739108f 100644 --- a/.github/workflows/modern-distributions.yml +++ b/.github/workflows/modern-distributions.yml @@ -4,6 +4,9 @@ on: pull_request: paths: ['distributions/**'] +permissions: + contents: read + jobs: check: name: Validate tar based distributions changes diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml index d8bde2979..3eb9c4020 100644 --- a/.github/workflows/winget.yml +++ b/.github/workflows/winget.yml @@ -4,6 +4,8 @@ on: release: types: [released] +permissions: {} + jobs: publish: if: github.event.release.prerelease == false