Skip to content

ci: set read-only workflow token permissions#25

Open
Alb3e3 wants to merge 1 commit into
coinbase:mainfrom
Alb3e3:alb3e3/ci-readonly-token-permissions
Open

ci: set read-only workflow token permissions#25
Alb3e3 wants to merge 1 commit into
coinbase:mainfrom
Alb3e3:alb3e3/ci-readonly-token-permissions

Conversation

@Alb3e3

@Alb3e3 Alb3e3 commented Jul 14, 2026

Copy link
Copy Markdown

Summary

  • set explicit read-only GITHUB_TOKEN permissions for CI workflows that only need repository checkout/read access
  • leave release/deploy/write-capable workflows unchanged

Why

This follows GitHub Actions least-privilege guidance and reduces the default token scope available to routine CI jobs without changing the test/build commands.

Verification

  • Parsed the changed workflow YAML with PyYAML.
  • Ran git diff --check.

@cb-heimdall

cb-heimdall commented Jul 14, 2026

Copy link
Copy Markdown

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@Alb3e3
Alb3e3 force-pushed the alb3e3/ci-readonly-token-permissions branch from c12297f to f345cce Compare July 15, 2026 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants