From bc27ccb6862ecba0b4c7b92ee8bfd21e74a688ef Mon Sep 17 00:00:00 2001 From: Bhagirath Mehta Date: Wed, 27 May 2026 08:20:12 -0500 Subject: [PATCH 1/2] ci: add least-privilege permissions to remaining workflows Adds top-level `permissions: { contents: read }` to the six workflow files on `main` that lacked an explicit GITHUB_TOKEN scope: - .github/workflows/build-android.yml - .github/workflows/build-ios-mac.yml - .github/workflows/build-posix-latest.yml - .github/workflows/build-ubuntu-2204.yml - .github/workflows/build-windows-vs2022.yaml - .github/workflows/test-win-latest.yml All six only check out source and run builds or tests; none post PR comments, deploy artifacts via the token, or otherwise need write scopes. `actions/upload-artifact@v4` (build-android.yml) uses its own per-run SAS URL and does not require GITHUB_TOKEN scopes. Carry-forward from PR #1450, which hardened spellcheck.yml the same way, and mirrors the analogous modules-repo commit decc96501. Each file gets an explanatory comment naming the CodeQL rule it satisfies (actions/missing-workflow-permissions) if Actions analysis is later enabled in this repo's code-scanning config. No behavior change. Already-permissioned workflows (codeql-analysis.yml, deploy-docs-pages.yml) are not touched. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/build-android.yml | 17 ++++++++++++----- .github/workflows/build-ios-mac.yml | 6 ++++++ .github/workflows/build-posix-latest.yml | 6 ++++++ .github/workflows/build-ubuntu-2204.yml | 6 ++++++ .github/workflows/build-windows-vs2022.yaml | 6 ++++++ .github/workflows/test-win-latest.yml | 6 ++++++ 6 files changed, 42 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index 2d50517d8..9e07f3280 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -17,11 +17,18 @@ on: - main - dev - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - + +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and builds + uploads artifacts (upload-artifact uses its own per-run SAS, +# not GITHUB_TOKEN). Explicit block satisfies CodeQL rule +# actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: build: runs-on: windows-latest diff --git a/.github/workflows/build-ios-mac.yml b/.github/workflows/build-ios-mac.yml index be9ec53f9..81d93ad77 100644 --- a/.github/workflows/build-ios-mac.yml +++ b/.github/workflows/build-ios-mac.yml @@ -20,6 +20,12 @@ on: - cron: 0 2 * * 1-5 +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and runs the iOS/macOS build matrix. Explicit block satisfies CodeQL rule +# actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/build-posix-latest.yml b/.github/workflows/build-posix-latest.yml index 657caa6e0..13ac881ab 100644 --- a/.github/workflows/build-posix-latest.yml +++ b/.github/workflows/build-posix-latest.yml @@ -20,6 +20,12 @@ on: - cron: 0 2 * * 1-5 +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and runs the Linux/Mac build matrix. Explicit block satisfies CodeQL rule +# actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/build-ubuntu-2204.yml b/.github/workflows/build-ubuntu-2204.yml index e0ea03ac5..1fbcc6404 100644 --- a/.github/workflows/build-ubuntu-2204.yml +++ b/.github/workflows/build-ubuntu-2204.yml @@ -20,6 +20,12 @@ on: - cron: 0 2 * * 1-5 +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and runs the Ubuntu 22.04 build. Explicit block satisfies CodeQL rule +# actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/build-windows-vs2022.yaml b/.github/workflows/build-windows-vs2022.yaml index 20605b442..b28aa1515 100644 --- a/.github/workflows/build-windows-vs2022.yaml +++ b/.github/workflows/build-windows-vs2022.yaml @@ -13,6 +13,12 @@ on: - main - dev +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and runs the Visual Studio 2022 build. Explicit block satisfies CodeQL +# rule actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/test-win-latest.yml b/.github/workflows/test-win-latest.yml index 19b20ef53..255868a88 100644 --- a/.github/workflows/test-win-latest.yml +++ b/.github/workflows/test-win-latest.yml @@ -20,6 +20,12 @@ on: - cron: 0 2 * * 1-5 +# Least-privilege GITHUB_TOKEN scope: this workflow only checks out source +# and runs Windows unit/functional tests. Explicit block satisfies CodeQL +# rule actions/missing-workflow-permissions if Actions analysis is enabled. +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} From a4885a47277ccc65fb4676d6a6d2e63fdb5cb531 Mon Sep 17 00:00:00 2001 From: Bhagirath Mehta Date: Wed, 27 May 2026 08:03:18 -0500 Subject: [PATCH 2/2] ci(spellcheck): pin misspell + add least-privilege permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three hardening fixes for .github/workflows/spellcheck.yml, ported from the same audit applied to the sister modules repo: 1. Add top-level 'permissions: contents: read'. Without an explicit block, the GITHUB_TOKEN inherits the repo default (typically read+write across most APIs), which is far more than misspell needs. misspell only walks .md/.txt/lib/tests files and prints typos to stdout; it never comments on PRs, posts statuses, or writes packages. This also satisfies CodeQL rule 'actions/missing-workflow-permissions' if Actions analysis is enabled here later (it isn't in the current codeql-analysis.yml matrix, but no reason to wait for that). 2. Replace the unpinned bootstrap install with a pinned tarball download. The prior 'curl https://git.io/misspell | sh' pattern executed a shell script from the master branch of an external repo via a git.io redirect — a supply-chain risk that also made CI non-reproducible. Now we download a specific release artifact (v0.3.4) directly from GitHub releases. 3. Verify the tarball SHA256 against the published checksum 'afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5' (linux_64bit). Any tampering or unexpected upstream change will fail CI rather than silently execute. Scope of misspell unchanged: still scans .md, .txt, examples/**, all of lib/ (excluding json.hpp), and tests/**. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/spellcheck.yml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml index 912594c61..eeedb9c62 100644 --- a/.github/workflows/spellcheck.yml +++ b/.github/workflows/spellcheck.yml @@ -6,6 +6,12 @@ on: pull_request: branches: [ master, main ] +# Least-privilege GITHUB_TOKEN scope: misspell only reads .md/.txt files +# (no PR comments, no status updates, no package writes). Explicit block +# satisfies CodeQL "actions/missing-workflow-permissions" and keeps the +# token narrowly scoped if Actions analysis is enabled here later. +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -22,9 +28,22 @@ jobs: continue-on-error: true - name: install misspell + env: + # misspell v0.3.4 linux 64-bit tarball SHA256 (from upstream + # release checksums.txt). Pinning version + verifying SHA + # avoids executing an unpinned bootstrap script from a floating + # ref (the prior 'curl https://git.io/misspell | sh' pattern is + # a supply-chain risk) and keeps CI reproducible. Bump + # deliberately when upstream releases. + MISSPELL_VERSION: "0.3.4" + MISSPELL_SHA256: "afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5" run: | - curl -L -o ./install-misspell.sh https://git.io/misspell - sh ./install-misspell.sh + curl -fsSL -o misspell.tar.gz \ + "https://github.com/client9/misspell/releases/download/v${MISSPELL_VERSION}/misspell_${MISSPELL_VERSION}_linux_64bit.tar.gz" + echo "${MISSPELL_SHA256} misspell.tar.gz" | sha256sum -c - + mkdir -p bin + tar -xzf misspell.tar.gz -C bin misspell + rm misspell.tar.gz - name: run misspell run: |