Skip to content

ci: declare contents:read on code-quality workflow#1026

Closed
arpitjain099 wants to merge 2 commits into
ClickHouse:mainfrom
arpitjain099:chore/declare-workflow-perms-1778777424-11
Closed

ci: declare contents:read on code-quality workflow#1026
arpitjain099 wants to merge 2 commits into
ClickHouse:mainfrom
arpitjain099:chore/declare-workflow-perms-1778777424-11

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026
edited by cursor Bot
Loading

Adds a workflow-level permissions: contents: read. The job checks out the repo and runs the linter / format checker; nothing here calls a GitHub API beyond the initial checkout, and the action surfaces failures as the workflow's own check status.

This is supply-chain hygiene anchored in CVE-2025-30066 - the March 2025 tj-actions/changed-files compromise - where a tampered third-party action read GITHUB_TOKEN out of workflow logs and the blast radius equalled whatever scope was issued. Pinning per workflow caps that runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is what OpenSSF Scorecard's Token-Permissions check credits. Small files like this one are the easy place to start the org-wide hygiene work.

YAML validated locally with yaml.safe_load.

Note

Low Risk
Narrowing workflow token scope only; no application or auth logic changes.

Overview
Adds workflow-level permissions: contents: read to the Code quality checks workflow in .github/workflows/code-quality.yml, so the job’s GITHUB_TOKEN is limited to what checkout and local lint/typecheck steps need instead of inheriting broader repo/org defaults.

This is supply-chain / least-privilege hygiene (aligned with OpenSSF Scorecard token-permissions expectations); behavior of the job steps is unchanged.

Reviewed by Cursor Bugbot for commit a7e82f6. Bugbot is set up for automated code reviews on this repo. Configure here.

@arpitjain099
ci: declare contents:read on code-quality workflow
b555a48 
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 14, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: a7e82f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 26, 2026

Merging mentally with #1040 which covers this plus more files. Closing this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @CLAassistant