From 00fc4ebd7f305768b4572205c61fd8d0920e9c9a Mon Sep 17 00:00:00 2001 From: GAdityaVarma Date: Wed, 8 Apr 2026 19:26:11 +0530 Subject: [PATCH] SECCMP-1797: Add top-level permissions to restrict default token Adds explicit top-level permissions: contents: read to limit the default GITHUB_TOKEN scope for all jobs. Individual jobs that need write access (copyright-validation) already declare their own permissions block which overrides the default. This follows the principle of least privilege recommended in GitHub's PwnRequest security guidance. --- .github/workflows/pr-workflow.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml index 9165227c..c0275b1b 100644 --- a/.github/workflows/pr-workflow.yaml +++ b/.github/workflows/pr-workflow.yaml @@ -1,18 +1,17 @@ name: PR Workflow on: - # Using pull_request_target instead of pull_request to handle PRs from forks pull_request_target: types: [opened, edited, reopened, synchronize] - # No branch filtering - will run on all PRs + +permissions: + contents: read jobs: jira-pr-check: name: 🏷️ Validate JIRA ticket ID - # Use the reusable workflow from the central repository uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main with: - # Pass the PR title from the event context pr-title: ${{ github.event.pull_request.title }} copyright-validation: name: © Validate Copyright Headers