From 18d250d3cff6c0ad44ac9eaab7a5475020973f7c Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 26 May 2026 07:58:44 +0900 Subject: [PATCH 1/2] ci(documentation): cap GITHUB_TOKEN to contents: read Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern. Signed-off-by: Arpit Jain --- .github/workflows/documentation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index bd82d189e8..f5965171a5 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -6,6 +6,9 @@ on: - master - v4.0 +permissions: + contents: read + jobs: documentation: runs-on: ubuntu-latest From ad10fc9ee213689f6fd5ecd8f508d23c77050866 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Sun, 31 May 2026 09:49:29 +0900 Subject: [PATCH 2/2] Grant job-level contents: write for gh-pages push Per review feedback (@nkaradzhov): the Upload step pushes generated docs to gh-pages via 'npm run gh-pages', which needs contents: write. Keeping workflow-level contents: read as the least-privilege default and only elevating the documentation job, per least-privilege-per-job pattern. Signed-off-by: Arpit Jain --- .github/workflows/documentation.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index f5965171a5..51942f5c18 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -12,6 +12,8 @@ permissions: jobs: documentation: runs-on: ubuntu-latest + permissions: + contents: write # required to push generated docs to gh-pages steps: - uses: actions/checkout@v4 with: