From 268c262d3da36842f1738692ee919d78b9878148 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 26 May 2026 07:47:26 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on validate-csv and validate-exceptions Both workflows just validate CSV / exceptions files; no GitHub API writes from the workflows. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/validate-csv.yml | 3 +++ .github/workflows/validate-exceptions.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/validate-csv.yml b/.github/workflows/validate-csv.yml index 70e4f6f0..0679e487 100644 --- a/.github/workflows/validate-csv.yml +++ b/.github/workflows/validate-csv.yml @@ -5,6 +5,9 @@ on: paths: - "project-maintainers.csv" +permissions: + contents: read + jobs: validate-csv: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-exceptions.yml b/.github/workflows/validate-exceptions.yml index aef02c62..c046738a 100644 --- a/.github/workflows/validate-exceptions.yml +++ b/.github/workflows/validate-exceptions.yml @@ -6,6 +6,9 @@ on: - 'license-exceptions/exceptions.json' - 'license-exceptions/schema/**' +permissions: + contents: read + jobs: validate: runs-on: ubuntu-latest