Skip to content

ci: declare empty permissions on release workflow#1981

Open
arpitjain099 wants to merge 1 commit into
denoland:mainfrom
arpitjain099:chore/release-permissions
Open

ci: declare empty permissions on release workflow#1981
arpitjain099 wants to merge 1 commit into
denoland:mainfrom
arpitjain099:chore/release-permissions

Conversation

@arpitjain099

@arpitjain099 arpitjain099 commented May 14, 2026

Copy link
Copy Markdown

Pins the release job to permissions: {}. The job checks out the repo with secrets.DENOBOT_PAT and runs deno run -A .../publish_release.ts with GITHUB_TOKEN: ${{ secrets.DENOBOT_PAT }}. The workflow's own GITHUB_TOKEN is never used.

Defense-in-depth angle: a compromised third-party action (cf. CVE-2025-30066 on tj-actions/changed-files) runs inside the existing job context and exfiltrates whatever scope the workflow token holds via build logs. With permissions: {} the token has zero scope to leak; release authority lives only in DENOBOT_PAT.

Matches the per-job permission style already used in this repo's hardened workflows. YAML validated locally with yaml.safe_load.

@CLAassistant

CLAassistant commented May 14, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

The release job clones with DENOBOT_PAT and runs the publish_release
task using the same PAT as GITHUB_TOKEN. The workflow's own GITHUB_TOKEN
is unused. permissions:{} captures that.

Style matches the per-job blocks already declared elsewhere in this
repo's hardened workflows.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/release-permissions branch from a1b088c to 9b9c5cd Compare June 10, 2026 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants