From 4ad496846a1214ee55428ea39731bbc4055ac551 Mon Sep 17 00:00:00 2001 From: Yedaya Katsman Date: Wed, 27 May 2026 17:24:33 +0300 Subject: [PATCH] Set default permissions for workflows Old github repositories created before 2023 run jobs with a GITHUB_TOKEN that has write permissions by default for PRs from inside the repo (not a fork), unless set otherwise in the repository.[0][1] [0] https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/ [1] https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ Set it explicitly so there won't be a chance that a compromise of an action will be able to modify anything in the repository. Pointed out by zizmor[2] [2] https://github.com/zizmorcore/zizmor Signed-off-by: Yedaya Katsman Signed-off-by: David Gibson --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 294ebb2..c477b03 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,8 @@ name: Build test pull_request: branches: - main +permissions: + contents: read # ensure that the workflow is only triggered once per PR, subsequent pushes to the PR will cancel # and restart the workflow. See https://docs.github.com/en/actions/using-jobs/using-concurrency