Skip to content

ci: declare workflow-level contents: read on 3 PR-validation workflows#23396

Open
arpitjain099 wants to merge 1 commit into
cockroachdb:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare workflow-level contents: read on 3 PR-validation workflows#23396
arpitjain099 wants to merge 1 commit into
cockroachdb:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 24, 2026

Three PR-validation workflows just read the PR diff:

  • changed_files.yml
  • cross-version-links.yml
  • validate-branch-existence.yml

No GitHub API writes from the workflows. Workflow-level contents: read is the right cap for the default GITHUB_TOKEN.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

@arpitjain099
ci: declare workflow-level contents: read on 3 PR-validation workflows
85d5a18 
changed_files, cross-version-links, validate-branch-existence are PR-validation workflows that only read the PR diff. No GitHub API writes. contents: read at workflow level is appropriate.

Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 24, 2026 02:30
@netlify
Copy link
Copy Markdown

netlify Bot commented May 24, 2026

Deploy Preview for cockroachdb-docs canceled.

Built without sensitive environment variables

Name Link
🔨 Latest commit 85d5a18
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-docs/deploys/6a1262d072ba4700084ec876

@netlify
Copy link
Copy Markdown

netlify Bot commented May 24, 2026

Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name Link
🔨 Latest commit 85d5a18
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-interactivetutorials-docs/deploys/6a1262d07f934200085ff9bd

@netlify
Copy link
Copy Markdown

netlify Bot commented May 24, 2026

Deploy Preview for cockroachdb-api-docs canceled.

Name Link
🔨 Latest commit 85d5a18
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-api-docs/deploys/6a1262d07b84000008a4d1aa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099