Skip to content

ci: declare contents:read on Build workflow#12

Open
arpitjain099 wants to merge 1 commit into
openai:mainfrom
arpitjain099:chore/build-permissions
Open

ci: declare contents:read on Build workflow#12
arpitjain099 wants to merge 1 commit into
openai:mainfrom
arpitjain099:chore/build-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026

The Build workflow runs corepack enable, pnpm install --frozen-lockfile, pnpm run build, and pnpm run build:library. No GitHub API write beyond actions/checkout.

This patch pins it to permissions: contents: read at workflow scope, matching the per-job block in publish.yml (contents: read + id-token: write for trusted publishing).

With explicit scope:

  • the workflow token can't be widened by a future change to the repo default
  • the SLSA / OpenSSF Scorecard Token-Permissions check passes for this file
  • third-party action exposure (actions/setup-node, actions/checkout) is bounded to read

No behavioural change.

@arpitjain099
ci: declare contents:read on Build workflow
31ff4de 
The Build workflow's single job installs pnpm dependencies and runs
the build + library build. No GitHub API write, no cache directive,
no comment on PRs. contents:read is the floor.

Style matches the per-job permissions block in publish.yml
(contents:read + id-token:write for trusted publishing).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099