Skip to content

ci: scope ci workflow token to contents: read#2263

Open
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions
Open

ci: scope ci workflow token to contents: read#2263
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented Jun 2, 2026

Adds an explicit least-privilege permissions: block to .github/workflows/ci.yml. The job only reads the repository, so contents: read is sufficient; today the workflow inherits whatever the repository default grants, which is broader than it needs. This is one of the checks OpenSSF Scorecard flags under Token-Permissions.

@arpitjain099
ci: scope ci workflow token to contents: read
b364a19 
Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from atinux as a code owner June 2, 2026 01:19
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Jun 2, 2026

@arpitjain099 is attempting to deploy a commit to the Nuxt Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 2, 2026

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 687f3e5e-8e5e-42a7-8c13-e0ed24eee3fc

📥 Commits

Reviewing files that changed from the base of the PR and between ed3440f and b364a19.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Walkthrough

This PR adds an explicit permissions block to the GitHub Actions CI workflow, granting the default token read-only access to repository contents. The change restricts token permissions at the workflow level without modifying job steps or build commands.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: adding a least-privilege permissions block to the CI workflow to scope the token to contents: read.
Description check ✅ Passed The description provides relevant context about the change, explaining why the least-privilege permissions are being added and referencing the OpenSSF Scorecard check.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atinux atinux Awaiting requested review from atinux atinux is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099