Skip to content

ci: cap GITHUB_TOKEN to contents: read#3137

Open
arpitjain099 wants to merge 1 commit into
pingcap:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: cap GITHUB_TOKEN to contents: read#3137
arpitjain099 wants to merge 1 commit into
pingcap:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 25, 2026

Pins the default GITHUB_TOKEN to contents: read at workflow level. No GitHub API writes from the workflow.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

@arpitjain099
ci: cap GITHUB_TOKEN to contents: read
8d4eabc 
Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented May 25, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tangenta for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added contribution This PR is from a community contributor. first-time-contributor Indicates that the PR was contributed by an external member and is a first-time contributor. labels May 25, 2026
@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented May 25, 2026

Welcome @arpitjain099!

It looks like this is your first PR to pingcap/docs-tidb-operator 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!



Thank you, and welcome to pingcap/docs-tidb-operator. 😃

@ti-chi-bot ti-chi-bot Bot added the missing-translation-status This PR does not have translation status info. label May 25, 2026
@pingcap-cla-assistant
Copy link
Copy Markdown

pingcap-cla-assistant Bot commented May 25, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ti-chi-bot ti-chi-bot Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution This PR is from a community contributor. first-time-contributor Indicates that the PR was contributed by an external member and is a first-time contributor. missing-translation-status This PR does not have translation status info. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099