Skip to content

ci: declare workflow-level contents: read on lint-docs and openapi-tests#6308

Open
arpitjain099 wants to merge 1 commit into
mongodb:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare workflow-level contents: read on lint-docs and openapi-tests#6308
arpitjain099 wants to merge 1 commit into
mongodb:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 21, 2026

Both workflows do read-only validation (markdown lint, openapi spec tests). No GitHub API writes, so a workflow-level contents: read is the appropriate cap for the default GITHUB_TOKEN.

Other workflows in this repo that use cache: pnpm or have write-needing paths are intentionally untouched, since adding contents: read there would break the cache save without actions: write and that scope decision belongs to maintainers.

Same hardening shape as the post-CVE-2025-30066 response (tj-actions/changed-files compromise). YAML validated locally.

@arpitjain099
ci: declare workflow-level contents: read on lint-docs and openapi-tests
0f77522 
Both workflows do read-only validation (markdown lint and openapi spec tests). No GitHub API writes from the workflow, so contents: read at the workflow level is the appropriate cap for the default GITHUB_TOKEN.

Same post-CVE-2025-30066 supply-chain hardening pattern (tj-actions/changed-files compromise). Other docs workflows that use cache: pnpm or write paths are intentionally untouched. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099