Skip to content

ci: declare workflow-level contents: read on essential-ci and check-pebble-dep#170851

Open
arpitjain099 wants to merge 1 commit into
cockroachdb:masterfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: declare workflow-level contents: read on essential-ci and check-pebble-dep#170851
arpitjain099 wants to merge 1 commit into
cockroachdb:masterfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 24, 2026

Both workflows are pure checks: github-actions-essential-ci runs the essential CI suite, check-pebble-dep validates the pebble dependency reference. No GitHub API writes from the workflows.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

@arpitjain099
ci: declare workflow-level contents: read on essential-ci and check-p…
b916390 
…ebble-dep

Both workflows run pure checks: essential-ci runs the essential CI suite, check-pebble-dep validates the pebble dependency reference. No GitHub API writes from the workflows.

Post-CVE-2025-30066 hardening shape (tj-actions/changed-files). yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 24, 2026 02:29
@trunk-io
Copy link
Copy Markdown
Contributor

trunk-io Bot commented May 24, 2026

Merging to master in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@blathers-crl
Copy link
Copy Markdown

blathers-crl Bot commented May 24, 2026

Thank you for contributing to CockroachDB. Please ensure you have followed the guidelines for creating a PR.

Before a member of our team reviews your PR, I have some potential action items for you:

  • Please ensure your git commit message contains a release note.
  • When CI has completed, please ensure no errors have appeared.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.

@blathers-crl blathers-crl Bot added the O-community Originated from the community label May 24, 2026
@cockroach-teamcity
Copy link
Copy Markdown
Member

cockroach-teamcity commented May 24, 2026

This change is Reviewable

@cockroachlabs-cla-agent
Copy link
Copy Markdown

cockroachlabs-cla-agent Bot commented May 24, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

O-community Originated from the community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @cockroach-teamcity