ci: declare workflow-level contents: read on chart-test and helm-test#221
ci: declare workflow-level contents: read on chart-test and helm-test#221arpitjain099 wants to merge 2 commits into
contents: read on chart-test and helm-test#221Conversation
Both workflows just run helm chart tests; no GitHub API writes. contents: read at workflow level is the right cap. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
|
|
Thanks for the contribution! I think the content permission should be read by default, but it's always good to be explicit about it. |
Deep ReviewThe change adds a workflow-level 🔴 P0/P1 — must fix
🟡 P2 — recommended
Reviewers (6): correctness, reliability, security, project-standards, maintainability, testing. Testing gaps:
|
Thank you @wrn14897 |
|
Thanks @wrn14897! Right, contents:read is the default here, so this is really just making it explicit. The value is defense-in-depth: if a step ever gets compromised (a bad third-party action version, an injected expression), an explicit read-only token cannot be quietly used to write back to the repo. After the tj-actions/changed-files compromise earlier this year that caught a lot of CI pipelines, being explicit about least privilege on the token felt worth it. Totally your call though, and thanks for taking a look. |
Both workflows just run helm chart tests; no GitHub API writes from the workflows.
Same post-CVE-2025-30066 (
tj-actions/changed-files) hardening pattern. YAML validated locally.