Skip to content

Commit bbef623

Browse files
authored
[codex] Harden PR description lint workflow (#71)
#### Context Restrict the PR description lint workflow so forked PR checks run with the least token access needed. #### TL;DR *Set read-only workflow permissions and stop checkout from storing credentials.* #### Summary - Add explicit contents read permission to the PR description lint workflow. - Set checkout persist-credentials to false for the lint job. #### Alternatives - Leave defaults unchanged, but explicit permissions make the token scope easier to review. #### Test Plan - [ ] `make -C elixir all` - [x] Parsed `.github/workflows/pr-description-lint.yml` with PyYAML.
1 parent 58cf97d commit bbef623

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

.github/workflows/pr-description-lint.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ on:
44
pull_request:
55
types: [opened, edited, reopened, synchronize, ready_for_review]
66

7+
permissions:
8+
contents: read
9+
710
jobs:
811
validate-pr-description:
912
runs-on: ubuntu-latest
@@ -14,6 +17,8 @@ jobs:
1417
steps:
1518
- name: Checkout
1619
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
20+
with:
21+
persist-credentials: false
1722

1823
- name: Set up mise tools
1924
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3

0 commit comments

Comments
 (0)