From f69d95c87f59d7d32b55ffd085ddeea38661cbbe Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:38:36 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 26 read-only workflows Pins the default GITHUB_TOKEN to contents: read on the 26 workflows in .github/workflows/ that don't actually need any write scope. The 26 files are a mix of: - composite-action tests (actions-test, checkout-licensed, checkout-test, cross-repo-ci-relay-tests, test_linux_job, test_macos_job, test_windows_job, test-setup-miniconda, test-setup-nvidia, test-setup-python, test-setup-uv, test-export-matrix-variables) - linters and validators (bc-linter-tests, lint, scale_config_validation, test-binary-size-validation, test-validate-domain-library, tests, torchci, validate-pypi-wheel-binary-size, validate-repackaged-binary-sizes) - nightly triggers (trigger_nightly, trigger_nightly_core) - lambda + webhook checks (lambda-runners, lambda-runner-binaries-syncer, lambda-webhook) None of those call a GitHub API beyond the initial checkout or use github.token / GITHUB_TOKEN. Left implicit on purpose (9 files): the workflows that pass github.token to a gh-cli step or otherwise touch the API (actions-check-dist, checkout-check-dist, disable-flaky-tests, pytorch-auto-revert-tests, test-setup-ssh, tflint, update-inductor-expected-accuracy, validate-nightly-binaries, windows-ami-validation) plus the explicit-write files (update-drci-comments, validate-release-binaries). Those scopes are best declared by a maintainer. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/actions-test.yml | 3 +++ .github/workflows/bc-linter-tests.yml | 3 +++ .github/workflows/checkout-licensed.yml | 3 +++ .github/workflows/checkout-test.yml | 3 +++ .github/workflows/cross-repo-ci-relay-tests.yml | 3 +++ .github/workflows/lambda-runner-binaries-syncer.yml | 3 +++ .github/workflows/lambda-runners.yml | 3 +++ .github/workflows/lambda-webhook.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/scale_config_validation.yml | 3 +++ .github/workflows/test-binary-size-validation.yml | 3 +++ .github/workflows/test-export-matrix-variables.yml | 3 +++ .github/workflows/test-setup-miniconda.yml | 3 +++ .github/workflows/test-setup-nvidia.yml | 3 +++ .github/workflows/test-setup-python.yml | 3 +++ .github/workflows/test-setup-uv.yml | 3 +++ .github/workflows/test-validate-domain-library.yml | 3 +++ .github/workflows/test_linux_job.yml | 3 +++ .github/workflows/test_macos_job.yml | 3 +++ .github/workflows/test_windows_job.yml | 3 +++ .github/workflows/tests.yml | 3 +++ .github/workflows/torchci.yml | 3 +++ .github/workflows/trigger_nightly.yml | 4 ++++ .github/workflows/trigger_nightly_core.yml | 3 +++ .github/workflows/validate-pypi-wheel-binary-size.yml | 3 +++ .github/workflows/validate-repackaged-binary-sizes.yml | 3 +++ 26 files changed, 79 insertions(+) diff --git a/.github/workflows/actions-test.yml b/.github/workflows/actions-test.yml index 13f0d3e665..c2b33af5c6 100644 --- a/.github/workflows/actions-test.yml +++ b/.github/workflows/actions-test.yml @@ -10,6 +10,9 @@ on: paths: - '.github/actions/upload-artifact-s3/**' +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/bc-linter-tests.yml b/.github/workflows/bc-linter-tests.yml index ed626cc391..a32db335b2 100644 --- a/.github/workflows/bc-linter-tests.yml +++ b/.github/workflows/bc-linter-tests.yml @@ -16,6 +16,9 @@ defaults: run: working-directory: tools/stronghold/ +permissions: + contents: read + jobs: bc-linter-tests: name: BC-Linter Tests diff --git a/.github/workflows/checkout-licensed.yml b/.github/workflows/checkout-licensed.yml index 3b9a509a83..e7e52f7281 100644 --- a/.github/workflows/checkout-licensed.yml +++ b/.github/workflows/checkout-licensed.yml @@ -12,6 +12,9 @@ on: paths: - '.github/actions/checkout/**' +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/checkout-test.yml b/.github/workflows/checkout-test.yml index bbb283a073..7929ab93e4 100644 --- a/.github/workflows/checkout-test.yml +++ b/.github/workflows/checkout-test.yml @@ -17,6 +17,9 @@ on: # these refer to "test-data" branches on this actions/checkout repo. # (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic) +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/cross-repo-ci-relay-tests.yml b/.github/workflows/cross-repo-ci-relay-tests.yml index 82d56d193d..296cab7074 100644 --- a/.github/workflows/cross-repo-ci-relay-tests.yml +++ b/.github/workflows/cross-repo-ci-relay-tests.yml @@ -16,6 +16,9 @@ defaults: run: working-directory: aws/lambda/cross_repo_ci_relay/ +permissions: + contents: read + jobs: test: runs-on: ubuntu-22.04 diff --git a/.github/workflows/lambda-runner-binaries-syncer.yml b/.github/workflows/lambda-runner-binaries-syncer.yml index 759303305f..829a62b2fb 100644 --- a/.github/workflows/lambda-runner-binaries-syncer.yml +++ b/.github/workflows/lambda-runner-binaries-syncer.yml @@ -8,6 +8,9 @@ on: - .github/workflows/lambda-runner-binaries-syncer.yml - "terraform-aws-github-runner/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/**" +permissions: + contents: read + jobs: build: name: "Run tests for runner binaries syncer lambda" diff --git a/.github/workflows/lambda-runners.yml b/.github/workflows/lambda-runners.yml index 22db0aae40..a3f5af1ea6 100644 --- a/.github/workflows/lambda-runners.yml +++ b/.github/workflows/lambda-runners.yml @@ -8,6 +8,9 @@ on: - .github/workflows/lambda-runners.yml - "terraform-aws-github-runner/modules/runners/lambdas/runners/**" +permissions: + contents: read + jobs: build: name: "Run tests for runners lambda" diff --git a/.github/workflows/lambda-webhook.yml b/.github/workflows/lambda-webhook.yml index d418c8d1a1..2c1a14fb53 100644 --- a/.github/workflows/lambda-webhook.yml +++ b/.github/workflows/lambda-webhook.yml @@ -8,6 +8,9 @@ on: - .github/workflows/lambda-webhook.yml - "terraform-aws-github-runner/modules/webhook/lambdas/webhook/**" +permissions: + contents: read + jobs: build: name: "Run tests for webhook lambda" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d7b307594f..a5ae0362f3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,6 +12,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true +permissions: + contents: read + jobs: lintrunner: name: lintrunner diff --git a/.github/workflows/scale_config_validation.yml b/.github/workflows/scale_config_validation.yml index 0c39fc26cc..a58f20cb8c 100644 --- a/.github/workflows/scale_config_validation.yml +++ b/.github/workflows/scale_config_validation.yml @@ -10,6 +10,9 @@ on: - .github/scale-config.yml - .github/scripts/validate_scale_config.py +permissions: + contents: read + jobs: scale-config-validation: runs-on: ubuntu-latest diff --git a/.github/workflows/test-binary-size-validation.yml b/.github/workflows/test-binary-size-validation.yml index b5f3cf4020..e5443998aa 100644 --- a/.github/workflows/test-binary-size-validation.yml +++ b/.github/workflows/test-binary-size-validation.yml @@ -7,6 +7,9 @@ on: - tools/binary_size_validation/binary_size_validation.py workflow_dispatch: +permissions: + contents: read + jobs: test-binary-size-validation: runs-on: ubuntu-latest diff --git a/.github/workflows/test-export-matrix-variables.yml b/.github/workflows/test-export-matrix-variables.yml index a2f89af8ec..11007fd16d 100644 --- a/.github/workflows/test-export-matrix-variables.yml +++ b/.github/workflows/test-export-matrix-variables.yml @@ -6,6 +6,9 @@ on: - .github/workflows/test-export-matrix-variables.yml - .github/actions/export-matrix-variables/* +permissions: + contents: read + jobs: test-linux: uses: ./.github/workflows/linux_job_v2.yml diff --git a/.github/workflows/test-setup-miniconda.yml b/.github/workflows/test-setup-miniconda.yml index 24492bb1b8..085dd6b630 100644 --- a/.github/workflows/test-setup-miniconda.yml +++ b/.github/workflows/test-setup-miniconda.yml @@ -7,6 +7,9 @@ on: - .github/actions/check-disk-space/* - .github/actions/setup-miniconda/* +permissions: + contents: read + jobs: test: strategy: diff --git a/.github/workflows/test-setup-nvidia.yml b/.github/workflows/test-setup-nvidia.yml index 2dbdaa87cc..7d98f0b924 100644 --- a/.github/workflows/test-setup-nvidia.yml +++ b/.github/workflows/test-setup-nvidia.yml @@ -7,6 +7,9 @@ on: - .github/actions/setup-nvidia/action.yml workflow_dispatch: +permissions: + contents: read + jobs: test: strategy: diff --git a/.github/workflows/test-setup-python.yml b/.github/workflows/test-setup-python.yml index 987f7006f3..e329c61fb6 100644 --- a/.github/workflows/test-setup-python.yml +++ b/.github/workflows/test-setup-python.yml @@ -6,6 +6,9 @@ on: - .github/actions/setup-python/* - .github/workflows/test-setup-python.yml +permissions: + contents: read + jobs: setup-python-job: runs-on: macos-m1-stable diff --git a/.github/workflows/test-setup-uv.yml b/.github/workflows/test-setup-uv.yml index 2f58d40d9d..b7675c3de9 100644 --- a/.github/workflows/test-setup-uv.yml +++ b/.github/workflows/test-setup-uv.yml @@ -7,6 +7,9 @@ on: - .github/actions/setup-uv/action.yml workflow_dispatch: +permissions: + contents: read + jobs: test: strategy: diff --git a/.github/workflows/test-validate-domain-library.yml b/.github/workflows/test-validate-domain-library.yml index d713464537..4285040d8e 100644 --- a/.github/workflows/test-validate-domain-library.yml +++ b/.github/workflows/test-validate-domain-library.yml @@ -7,6 +7,9 @@ on: - .github/workflows/test-validate-domain-library.yml workflow_dispatch: +permissions: + contents: read + jobs: test-validate-domain-library: uses: ./.github/workflows/validate-domain-library.yml diff --git a/.github/workflows/test_linux_job.yml b/.github/workflows/test_linux_job.yml index 300e6c9e53..738e63e6d8 100644 --- a/.github/workflows/test_linux_job.yml +++ b/.github/workflows/test_linux_job.yml @@ -9,6 +9,9 @@ on: - .github/scripts/run_with_env_secrets.py workflow_dispatch: +permissions: + contents: read + jobs: test-secrets-no-filter-var: uses: ./.github/workflows/linux_job.yml diff --git a/.github/workflows/test_macos_job.yml b/.github/workflows/test_macos_job.yml index 70b4fc2310..1a79dc3dcc 100644 --- a/.github/workflows/test_macos_job.yml +++ b/.github/workflows/test_macos_job.yml @@ -8,6 +8,9 @@ on: - .github/scripts/run_with_env_secrets.py workflow_dispatch: +permissions: + contents: read + jobs: test-m1: uses: ./.github/workflows/macos_job.yml diff --git a/.github/workflows/test_windows_job.yml b/.github/workflows/test_windows_job.yml index 59a4693396..283fa9c9cb 100644 --- a/.github/workflows/test_windows_job.yml +++ b/.github/workflows/test_windows_job.yml @@ -7,6 +7,9 @@ on: - .github/workflows/test_windows_job.yml workflow_dispatch: +permissions: + contents: read + jobs: test-cpu: uses: ./.github/workflows/windows_job.yml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 27122fa7ac..74f7c3f7fc 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -13,6 +13,9 @@ on: branches: - main +permissions: + contents: read + jobs: test-tools: name: Test tools diff --git a/.github/workflows/torchci.yml b/.github/workflows/torchci.yml index 70db681f07..be54885c14 100644 --- a/.github/workflows/torchci.yml +++ b/.github/workflows/torchci.yml @@ -9,6 +9,9 @@ on: branches: - main +permissions: + contents: read + jobs: test: runs-on: ubuntu-24.04 diff --git a/.github/workflows/trigger_nightly.yml b/.github/workflows/trigger_nightly.yml index 3793facf3d..6c1323e833 100644 --- a/.github/workflows/trigger_nightly.yml +++ b/.github/workflows/trigger_nightly.yml @@ -27,6 +27,10 @@ on: - torchcomms - torchforge - all + +permissions: + contents: read + jobs: trigger: runs-on: ubuntu-latest diff --git a/.github/workflows/trigger_nightly_core.yml b/.github/workflows/trigger_nightly_core.yml index 3ad2c494bc..fdc78226f7 100644 --- a/.github/workflows/trigger_nightly_core.yml +++ b/.github/workflows/trigger_nightly_core.yml @@ -6,6 +6,9 @@ on: - cron: 30 7 * * * workflow_dispatch: +permissions: + contents: read + jobs: trigger: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-pypi-wheel-binary-size.yml b/.github/workflows/validate-pypi-wheel-binary-size.yml index c9547ada01..40cee2762a 100644 --- a/.github/workflows/validate-pypi-wheel-binary-size.yml +++ b/.github/workflows/validate-pypi-wheel-binary-size.yml @@ -17,6 +17,9 @@ on: # At 2:30 pm UTC (7:30 am PDT) - cron: "30 14 * * *" +permissions: + contents: read + jobs: pypi-binary-size-validation: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-repackaged-binary-sizes.yml b/.github/workflows/validate-repackaged-binary-sizes.yml index 06cdd602cb..4656b57054 100644 --- a/.github/workflows/validate-repackaged-binary-sizes.yml +++ b/.github/workflows/validate-repackaged-binary-sizes.yml @@ -18,6 +18,9 @@ on: - .github/workflows/validate-repackaged-binary-sizes.yml - release/pypi/prep_binary_for_pypi.sh +permissions: + contents: read + jobs: generate-linux-matrix: uses: ./.github/workflows/generate_binary_build_matrix.yml