Skip to content

ci: grant least-privilege GITHUB_TOKEN in ci.yml#1294

Open
shitcodebykaushik wants to merge 1 commit into
supermemoryai:mainfrom
shitcodebykaushik:fix/ci-least-privilege-token
Open

ci: grant least-privilege GITHUB_TOKEN in ci.yml#1294
shitcodebykaushik wants to merge 1 commit into
supermemoryai:mainfrom
shitcodebykaushik:fix/ci-least-privilege-token

Conversation

@shitcodebykaushik

Copy link
Copy Markdown

Summary

  • Adds an explicit workflow-level permissions: contents: read block to .github/workflows/ci.yml.
  • The quality-checks job only checks out the repo and runs typecheck/lint, so it does not need write access.
  • Matches the least-privilege pattern already used by the publish workflows and addresses the supply-chain / blast-radius concern in CI workflow (ci.yml) runs without a least-privilege GITHUB_TOKEN #1218.

Test plan

  • Confirmed the workflow YAML is valid and only changes permissions.
  • CI runs successfully on this PR with the restricted token (checkout, install, typecheck, Biome).

Fixes #1218

The quality-checks job only reads the repo (checkout, install, typecheck,
lint). Without an explicit permissions block, GITHUB_TOKEN inherits broader
defaults. Set contents: read to match the publish workflows and reduce
blast radius if a step or dependency is compromised.

Fixes supermemoryai#1218
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI workflow (ci.yml) runs without a least-privilege GITHUB_TOKEN

1 participant