Skip to content

ci: declare contents:read on unit-tests workflow#1027

Closed
arpitjain099 wants to merge 2 commits into
ClickHouse:mainfrom
arpitjain099:chore/declare-workflow-perms-1778777436-12
Closed

ci: declare contents:read on unit-tests workflow#1027
arpitjain099 wants to merge 2 commits into
ClickHouse:mainfrom
arpitjain099:chore/declare-workflow-perms-1778777436-12

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026
edited by cursor Bot
Loading

Adds a workflow-level permissions: contents: read block. The job here only checks out the repository and runs its tests / validation; no GitHub API call beyond the initial checkout is needed.

CVE-2025-30066 (the March 2025 tj-actions/changed-files supply-chain compromise) is the canonical motivation: a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Per-workflow caps bound that runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and register with OpenSSF Scorecard's Token-Permissions check (which only credits explicit per-workflow declarations).

YAML validated locally with yaml.safe_load.

Note

Low Risk
Workflow-only permission tightening with no application or runtime behavior changes.

Overview
Adds an explicit workflow-level permissions: contents: read to the Unit tests GitHub Actions workflow so the job token is limited to checkout/read—matching the pattern already used on other workflows and satisfying OpenSSF Scorecard token-permissions expectations.

No test or install steps change; this only caps GITHUB_TOKEN scope at runtime (e.g. to reduce blast radius if a third-party action is compromised).

Reviewed by Cursor Bugbot for commit f9edad4. Bugbot is set up for automated code reviews on this repo. Configure here.

@arpitjain099
ci: declare contents:read on unit-tests workflow
fbd5922 
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: f9edad4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 26, 2026

Merging mentally with #1040 which covers this plus more files. Closing this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @CLAassistant