What would you like to be added?
Some GitHub Actions validation workflows should define a top-level permissions block.
These workflows currently do not define one:
.github/workflows/build.yaml.github/workflows/test.yaml.github/workflows/gen.yaml.github/workflows/build_tool.yaml
They mostly checkout the repository and run build, test, generated-code, or image-build checks. They do not appear to need write access to the repository.
I suggest adding this to each workflow:
permissions:
contents: read
Why is this needed?
This makes the GITHUB_TOKEN permissions explicit and limits the token to read-only access for these validation jobs.
Using the smallest required permissions is safer and follows the principle of least privilege.
What would you like to be added?
Some GitHub Actions validation workflows should define a top-level permissions block.
These workflows currently do not define one:
.github/workflows/build.yaml.github/workflows/test.yaml.github/workflows/gen.yaml.github/workflows/build_tool.yamlThey mostly checkout the repository and run build, test, generated-code, or image-build checks. They do not appear to need write access to the repository.
I suggest adding this to each workflow:
Why is this needed?
This makes the
GITHUB_TOKENpermissions explicit and limits the token to read-only access for these validation jobs.Using the smallest required permissions is safer and follows the principle of least privilege.