PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#141
Open
GAdityaVarma wants to merge 7 commits intodevelopfrom
Open
PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#141GAdityaVarma wants to merge 7 commits intodevelopfrom
GAdityaVarma wants to merge 7 commits intodevelopfrom
Conversation
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.8 to 1.18.9. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.18.8...v1.18.9) --- updated-dependencies: - dependency-name: nokogiri dependency-version: 1.18.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…ri-1.18.9 Bump nokogiri from 1.18.8 to 1.18.9 in /docs
Merge 1.3.0 into master
Bumps [rexml](https://github.com/ruby/rexml) from 3.3.9 to 3.4.2. - [Release notes](https://github.com/ruby/rexml/releases) - [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md) - [Commits](ruby/rexml@v3.3.9...v3.4.2) --- updated-dependencies: - dependency-name: rexml dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
MLE-26598 Merge release/1.3.1 into master
Adds explicit top-level permissions: contents: read to limit the default GITHUB_TOKEN scope for all jobs. Individual jobs that need write access (copyright-validation) already declare their own permissions block which overrides the default. This follows the principle of least privilege recommended in GitHub's PwnRequest security guidance.
GAdityaVarma
requested review from
BillFarber,
rjrudin and
stevebio
as code owners
There was a problem hiding this comment.
Pull request overview
This PR tightens the default GITHUB_TOKEN scope for the pull_request_target workflow by adding workflow-level permissions, reducing the risk of unintended write access across jobs.
Changes:
- Adds top-level
permissions: contents: readso jobs default to a read-only token. - Keeps the existing job-level
permissionsoverride forcopyright-validation.
rjrudin
approved these changes
Apr 8, 2026
GAdityaVarma
changed the title
|
Copyright Validation Results ❌ Failed Files
⏭️ Skipped (Excluded) Files
🛠️ GuidanceFollow these steps to fix the failed files:
|
Contributor
|
@GAdityaVarma let's remove this workflow from this repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SECCMP-1797: Add top-level permissions to restrict default token
Adds
permissions: contents: readat the workflow level to restrict the default GITHUB_TOKEN scope. Without this, all jobs inherit the fullpull_request_targetwrite token.The
copyright-validationjob already declares its ownpermissionsblock which overrides the default for that specific job.Ref: Preventing pwn requests