From 59e3c2cb4556da9a213096b218cfb9b2bbae1d18 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 26 May 2026 15:31:33 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 7 CI workflows All 7 workflows (checkDependencies, ci, codeql, doCleanCode, pr-checks, unit-tests, version-increments) just run checks and validation. No GitHub API writes from the workflows themselves at the workflow level. For workflows where individual jobs need a higher scope (e.g., codeql analyze typically needs security-events: write), job-level permissions can still override upward. This PR only adds the workflow-level cap. Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. yaml.safe_load validated on each touched file. Signed-off-by: Arpit Jain --- .github/workflows/checkDependencies.yml | 3 +++ .github/workflows/ci.yml | 3 +++ .github/workflows/codeql.yml | 3 +++ .github/workflows/doCleanCode.yml | 3 +++ .github/workflows/pr-checks.yml | 3 +++ .github/workflows/unit-tests.yml | 3 +++ .github/workflows/version-increments.yml | 3 +++ 7 files changed, 21 insertions(+) diff --git a/.github/workflows/checkDependencies.yml b/.github/workflows/checkDependencies.yml index 40425788ba1..005ee4a16e6 100644 --- a/.github/workflows/checkDependencies.yml +++ b/.github/workflows/checkDependencies.yml @@ -7,6 +7,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: check-dependencies: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/checkDependencies.yml@master diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fde222c38eb..884cbf53ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,9 @@ on: - 'docs/**' - '*.md' +permissions: + contents: read + jobs: build: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/mavenBuild.yml@master diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 46f3230490a..cc669cadbcb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,9 @@ on: schedule: - cron: '15 8 * * 1' +permissions: + contents: read + jobs: callCodeQLworkflow: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/codeQLworkflow.yml@master diff --git a/.github/workflows/doCleanCode.yml b/.github/workflows/doCleanCode.yml index 2242d3adba8..a976c24d7db 100644 --- a/.github/workflows/doCleanCode.yml +++ b/.github/workflows/doCleanCode.yml @@ -7,6 +7,9 @@ on: schedule: - cron: '0 2 * * *' +permissions: + contents: read + jobs: clean-code: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/cleanCode.yml@master diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index d8dfc50969a..61e4a4b4792 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: check-freeze-period: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 32759a5869b..f5650319d91 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -6,6 +6,9 @@ on: types: - completed +permissions: + contents: read + jobs: check: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishTestResults.yml@master diff --git a/.github/workflows/version-increments.yml b/.github/workflows/version-increments.yml index 7f0450b41ac..c4d9915aefb 100644 --- a/.github/workflows/version-increments.yml +++ b/.github/workflows/version-increments.yml @@ -5,6 +5,9 @@ on: workflows: [ 'Pull-Request Checks' ] types: [ completed ] +permissions: + contents: read + jobs: publish-version-check-results: uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishVersionCheckResults.yml@master