This is an automated email from the ASF dual-hosted git repository.
morrySnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new ab8f6572aea [chore](ci) declare least-privilege permissions on
clang-format and title-checker workflows (#63573)
ab8f6572aea is described below
commit ab8f6572aeaf20da567d4fc972dc6c1ea2c6486b
Author: Arpit Jain <[email protected]>
AuthorDate: Wed Jun 17 20:00:58 2026 +0900
[chore](ci) declare least-privilege permissions on clang-format and
title-checker workflows (#63573)
1. **Problem**: Default `GITHUB_TOKEN` on the touched workflows was the
repo-level default (typically `read/write` for issues/contents/etc),
which is wider than the workflow actually uses. After CVE-2025-30066
(the March `tj-actions/changed-files` supply-chain compromise), the
standard recommendation is to declare per-workflow least-privilege so an
exfiltrated token has the smallest possible blast radius.
2. **Behavior modified**: Four PR-time check workflows (`clang-format`,
`license-eyes`, `lfs-warning`, `title-checker`) now declare a
workflow-level `permissions: contents: read` block. Functionally nothing
changes for callers - the workflows still read the PR diff and run their
respective checks. The token they now hold is just bounded to `contents:
read` rather than the repo-level default. Four PR-time check workflows
(`clang-format`, `license-eyes`, `lfs-warning`, `title-checker`) just
validate the PR or diff. No GitHub API writes from the workflows.
**Note:** `.github/` appears to be in `.gitignore` for this repo, so I
had to use `git add -f` to stage these. Happy to close if the gitignore
is intentional and workflow files are managed via a different path.
Same post-CVE-2025-30066 (`tj-actions/changed-files`) hardening pattern.
YAML validated locally.
3. **Features added**: None. This is hardening only.
4. **Refactoring**: None. Three lines added per file (the `permissions`
block); no logic touched.
Side note: `.github/` is in this repo's `.gitignore`, so I had to use
`git add -f` to stage the files. If you'd rather the workflow files be
managed differently (e.g., generated from a template), happy to close.
---------
Signed-off-by: Arpit Jain <[email protected]>
---
.github/workflows/clang-format.yml | 5 +++++
.github/workflows/title-checker.yml | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/.github/workflows/clang-format.yml
b/.github/workflows/clang-format.yml
index a81d64e4e2b..4814480a5df 100644
--- a/.github/workflows/clang-format.yml
+++ b/.github/workflows/clang-format.yml
@@ -25,6 +25,11 @@ on:
workflow_dispatch:
issue_comment:
types: [ created ]
+
+permissions:
+ contents: read
+ pull-requests: read
+
jobs:
clang-format:
name: "Clang Formatter"
diff --git a/.github/workflows/title-checker.yml
b/.github/workflows/title-checker.yml
index fac1bfdb018..ae7b57e73a2 100644
--- a/.github/workflows/title-checker.yml
+++ b/.github/workflows/title-checker.yml
@@ -22,6 +22,10 @@ on:
pull_request:
types: [ opened, edited ]
+permissions:
+ contents: read
+ pull-requests: read
+
jobs:
PR-title-checker:
name: "PR title checker"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
