This is an automated email from the ASF dual-hosted git repository.
chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory.git
The following commit(s) were added to refs/heads/main by this push:
new af4073e69 ci: declare workflow-level `contents: read` on ci and lint
(#3704)
af4073e69 is described below
commit af4073e698ed914f9cc43c3e7879c474f36fce84
Author: Arpit Jain <[email protected]>
AuthorDate: Mon May 25 12:33:56 2026 +0900
ci: declare workflow-level `contents: read` on ci and lint (#3704)
Both workflows run pure CI / lint checks; no GitHub API writes from the
workflows. Workflow-level `contents: read` is sufficient as the cap for
the default `GITHUB_TOKEN`.
Same post-CVE-2025-30066 (`tj-actions/changed-files`) hardening pattern.
YAML validated locally.
Signed-off-by: Arpit Jain <[email protected]>
---
.github/workflows/ci.yml | 3 +++
.github/workflows/lint.yml | 3 +++
2 files changed, 6 insertions(+)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4c4005be..8658e0b0a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,6 +41,9 @@ on:
- "NOTICE"
types: ["opened", "reopened", "synchronize"]
+permissions:
+ contents: read
+
jobs:
changes:
name: Detect Changed Paths
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d867657ce..67a573f5d 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -29,6 +29,9 @@ on:
- "**.yml"
- "**.yaml"
+permissions:
+ contents: read
+
jobs:
markdownlint:
name: 🍇 Markdown
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]