Skip to content

Restrict docs workflow token permissions#43

Merged
acgxv merged 1 commit into
mainfrom
xv/fix-workflow-permissions
Jul 15, 2026
Merged

Restrict docs workflow token permissions#43
acgxv merged 1 commit into
mainfrom
xv/fix-workflow-permissions

Conversation

@acgxv

@acgxv acgxv commented Jul 15, 2026

Copy link
Copy Markdown
Member

What changed

  • add an explicit workflow-level permissions block to the docs CI workflow
  • grant only contents: read, which is required by checkout

Why

GitHub CodeQL alert #3 reported that the workflow inherited repository or organization defaults for GITHUB_TOKEN. Explicit least-privilege permissions keep the token read-only even if those defaults change.

Impact

The docs checks, Mintlify validation, export, and static-asset assertions continue to run unchanged. No public documentation or runtime contract changes.

Validation

  • actionlint .github/workflows/docs.yml
  • npm ci
  • npm run check
  • npx --yes mint@latest validate
  • full export and static-asset command sequence from .github/workflows/docs.yml

…ermissions","authority":"manual","impact":"compatible"}
@github-actions

Copy link
Copy Markdown

@acgxv
acgxv marked this pull request as ready for review July 15, 2026 07:54
@acgxv
acgxv merged commit a07675c into main Jul 15, 2026
6 checks passed
@acgxv
acgxv deleted the xv/fix-workflow-permissions branch July 15, 2026 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant