ci: declare workflow-level contents: read on 6 CI workflows#4025
ci: declare workflow-level contents: read on 6 CI workflows#4025arpitjain099 wants to merge 2 commits into
contents: read on 6 CI workflows#4025Conversation
|
Hi @arpitjain099 — thank you for your contribution! The Eclipse Contributor Agreement (ECA) check has failed for this pull request due to one of the following reasons:
To resolve this, please:
Once done, push a new commit (or rebase) to re-trigger the ECA validation. If you believe you've already completed these steps, please double-check your account settings or report an issue to Eclipse Foundation Helpdesk. Thanks again for your contribution! |
|
CLA signed |
arpitjain099
force-pushed
the
chore/declare-workflow-perms
branch
from
e91c126 to
8117acc
Compare
akurtakov
force-pushed
the
chore/declare-workflow-perms
branch
from
8117acc to
44d28ab
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions configuration by explicitly setting a least-privilege GITHUB_TOKEN at the workflow level (permissions: contents: read) for CI workflows that only run checks.
Changes:
- Add workflow-level
permissions: contents: readto six CI workflows to avoid relying on broader default token permissions. - Align these workflows with the repository’s existing “minimal-by-default, elevate per-job if needed” permissions pattern.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/checkDependencies.yml | Adds workflow-level contents: read permissions. |
| .github/workflows/ci.yml | Adds workflow-level contents: read permissions. |
| .github/workflows/doCleanCode.yml | Adds workflow-level contents: read permissions. |
| .github/workflows/pr-checks.yml | Adds workflow-level contents: read permissions. |
| .github/workflows/unit-tests.yml | Adds workflow-level contents: read permissions. |
| .github/workflows/version-increments.yml | Adds workflow-level contents: read permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Failure https://github.com/eclipse-platform/eclipse.platform.ui/actions/runs/26947761475 : Invalid workflow file: .github/workflows/pr-checks.yml#L16 |
Hello @akurtakov let me check tonight. |
Test Results 861 files ±0 861 suites ±0 54m 28s ⏱️ + 1m 7s For more details on these failures, see this check. Results for commit 44d28ab. ± Comparison against base commit 26fe26b. |
Adds workflow-level contents: read to six CI workflows that run pure checks (checkDependencies, ci, doCleanCode, pr-checks, unit-tests, version-increments). No GitHub API writes from the workflows. Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
akurtakov
force-pushed
the
chore/declare-workflow-perms
branch
from
44d28ab to
ebdf729
Compare
pr-checks.yml and unit-tests.yml only call reusable workflows. A caller's workflow-level permissions cap the GITHUB_TOKEN for the called workflow, which cannot request more than the caller grants. The contents: read block here was stripping scopes the callees need: - verifyFreezePeriod.yml needs issues: read (milestone lookup) - checkMergeCommits.yml needs pull-requests: read - publishTestResults.yml needs checks: write, pull-requests: write, issues: read and actions: read This is what broke validation (pr-checks.yml line 16, reported by @akurtakov). Revert the permissions block on these two reusable-only callers; each reusable workflow already declares its own least-privilege permissions. The contents: read additions on the non-affected workflows in this PR are kept. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Adds workflow-level
permissions: contents: readto six CI workflows:checkDependencies,ci,doCleanCode,pr-checks,unit-tests,version-increments. All run pure checks; no GitHub API writes from the workflows themselves.Same post-CVE-2025-30066 (
tj-actions/changed-files) hardening pattern. YAML validated locally.