This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory.git


The following commit(s) were added to refs/heads/main by this push:
     new af4073e69 ci: declare workflow-level `contents: read` on ci and lint 
(#3704)
af4073e69 is described below

commit af4073e698ed914f9cc43c3e7879c474f36fce84
Author: Arpit Jain <[email protected]>
AuthorDate: Mon May 25 12:33:56 2026 +0900

    ci: declare workflow-level `contents: read` on ci and lint (#3704)
    
    Both workflows run pure CI / lint checks; no GitHub API writes from the
    workflows. Workflow-level `contents: read` is sufficient as the cap for
    the default `GITHUB_TOKEN`.
    
    Same post-CVE-2025-30066 (`tj-actions/changed-files`) hardening pattern.
    YAML validated locally.
    
    Signed-off-by: Arpit Jain <[email protected]>
---
 .github/workflows/ci.yml   | 3 +++
 .github/workflows/lint.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4c4005be..8658e0b0a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,6 +41,9 @@ on:
       - "NOTICE"
     types: ["opened", "reopened", "synchronize"]
 
+permissions:
+  contents: read
+
 jobs:
   changes:
     name: Detect Changed Paths
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d867657ce..67a573f5d 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -29,6 +29,9 @@ on:
       - "**.yml"
       - "**.yaml"
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint:
     name: 🍇 Markdown


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to