Skip to content

ci: declare workflow-level contents: read on 4 workflows#4467

Open
arpitjain099 wants to merge 1 commit into
Shopify:2026-07-rcfrom
arpitjain099:chore/declare-workflow-perms-readonly
Open

ci: declare workflow-level contents: read on 4 workflows#4467
arpitjain099 wants to merge 1 commit into
Shopify:2026-07-rcfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 15, 2026

Pins the default GITHUB_TOKEN to contents: read on 4 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

The following files were left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Those scopes are best declared by maintainers: cla.yml, shopify-dev-preview-automation.yml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

@arpitjain099
ci: declare workflow-level contents: read on 4 workflows
941814c 
Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026

🚨🚨🚨 Docs migration in progress 🚨🚨🚨

We are actively migrating UI extension reference docs to MDX in the areas/platforms/shopify-dev zone of the monorepo. This impacts docs for the following surfaces:

During this migration, please be aware of the following:

.doc.ts files are being deprecated. Changes to .doc.ts files in this repo will not be reflected in the new MDX-based docs. If you need to update docs for a reference that has already been migrated, make your changes directly in the areas/platforms/shopify-dev zone of the monorepo instead.

Doc comments in .ts source files (the comment blocks above types and functions) are also affected. Generating docs from these comments currently requires a newer version of the @shopify/generate-docs library that isn't yet available. Updates to doc comments may not produce the expected output until the migration is complete.

Examples that previously lived in this repo are being moved to the areas/platforms/shopify-dev zone of the monorepo and should be authored there going forward.

What should I do?

  • If your PR includes changes to .doc.ts files, doc comments, or examples, please reach out to us in #devtools-proj-templated-refs so we can help ensure your updates are captured correctly.
  • If your PR is limited to source code changes (non-docs), you can ignore this notice.

Thanks for your patience while we complete the migration! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099