Skip to content

ci: cap GITHUB_TOKEN to contents: read#19759

Open
arpitjain099 wants to merge 2 commits into
pytorch:mainfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: cap GITHUB_TOKEN to contents: read#19759
arpitjain099 wants to merge 2 commits into
pytorch:mainfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 25, 2026

Pins the default GITHUB_TOKEN to contents: read at the workflow level. The workflow runs checks only; no GitHub API writes.

Same post-CVE-2025-30066 (tj-actions/changed-files) supply-chain hardening pattern. YAML validated locally with yaml.safe_load.

@arpitjain099
ci: cap GITHUB_TOKEN to contents: read
3d1c451 
Workflow runs checks only; no GitHub API writes from the workflow itself. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@pytorch-bot
Copy link
Copy Markdown

pytorch-bot Bot commented May 25, 2026
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19759

Note: Links to docs will display an error until the docs builds have been completed.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label May 25, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 25, 2026

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

JacobSzwejbka
JacobSzwejbka reviewed May 26, 2026
View reviewed changes
Comment thread .github/workflows/pending_user_response.yml
workflow_dispatch:

permissions:
contents: read
Copy link
Copy Markdown
Contributor

@JacobSzwejbka JacobSzwejbka May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this job also needs issues: read

@digantdesai digantdesai added the triaged This issue has been looked at a team member, and triaged and prioritized into an appropriate module label May 27, 2026
@arpitjain099
Also declare issues: read for the PyGithub script
8f7b2fd 
Per review feedback (@JacobSzwejbka): the pending_user_response.py
script queries issues via PyGithub, so the workflow needs issues: read
in addition to contents: read.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 31, 2026

Thanks @JacobSzwejbka, good catch. Added issues: read to the workflow permissions block in the latest push.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacobSzwejbka JacobSzwejbka JacobSzwejbka requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. triaged This issue has been looked at a team member, and triaged and prioritized into an appropriate module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@arpitjain099 @JacobSzwejbka @digantdesai @nil-is-all