Commit bbef623
authored
[codex] Harden PR description lint workflow (#71)
#### Context
Restrict the PR description lint workflow so forked PR checks run with
the least token access needed.
#### TL;DR
*Set read-only workflow permissions and stop checkout from storing
credentials.*
#### Summary
- Add explicit contents read permission to the PR description lint
workflow.
- Set checkout persist-credentials to false for the lint job.
#### Alternatives
- Leave defaults unchanged, but explicit permissions make the token
scope easier to review.
#### Test Plan
- [ ] `make -C elixir all`
- [x] Parsed `.github/workflows/pr-description-lint.yml` with PyYAML.1 parent 58cf97d commit bbef623
1 file changed
Lines changed: 5 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
7 | 10 | | |
8 | 11 | | |
9 | 12 | | |
| |||
14 | 17 | | |
15 | 18 | | |
16 | 19 | | |
| 20 | + | |
| 21 | + | |
17 | 22 | | |
18 | 23 | | |
19 | 24 | | |
| |||
0 commit comments