From 8858279dae979f0ffceb70561c278b0db02dfcf0 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Wed, 4 Mar 2026 09:29:28 +0100 Subject: [PATCH] Limit privilege escalation and token theft in workflows https://lists.openssf-vuln.org/g/siren/message/6 - Added explicit permissions blocks to restrict access (mostly contents: read, id-token: write). - Limited event triggers to only trusted branches - Added workflow_dispatch where missing. --- .github/workflows/check_changelogs.yml | 4 ++++ .github/workflows/gpu_test.yml | 3 +++ .github/workflows/hypothesis.yaml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/needs_release_notes.yml | 3 ++- .github/workflows/nightly_wheels.yml | 3 +++ .github/workflows/releases.yml | 10 +++++++++- .github/workflows/test.yml | 5 ++++- 8 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check_changelogs.yml b/.github/workflows/check_changelogs.yml index 9b39233dd8..02b57a5e36 100644 --- a/.github/workflows/check_changelogs.yml +++ b/.github/workflows/check_changelogs.yml @@ -2,6 +2,10 @@ name: Check changelog entries on: pull_request: + workflow_dispatch: + +permissions: + contents: read jobs: check-changelogs: diff --git a/.github/workflows/gpu_test.yml b/.github/workflows/gpu_test.yml index 337a2d2578..c474485dc0 100644 --- a/.github/workflows/gpu_test.yml +++ b/.github/workflows/gpu_test.yml @@ -13,6 +13,9 @@ on: env: LD_LIBRARY_PATH: /usr/local/cuda/extras/CUPTI/lib64:/usr/local/cuda/lib64 +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/hypothesis.yaml b/.github/workflows/hypothesis.yaml index d8a0acdfd4..1ec6b4806d 100644 --- a/.github/workflows/hypothesis.yaml +++ b/.github/workflows/hypothesis.yaml @@ -9,6 +9,9 @@ on: - cron: "0 0 * * *" # Daily “At 00:00” UTC workflow_dispatch: # allows you to trigger manually +permissions: + contents: read + env: FORCE_COLOR: 3 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7a7b846bdb..4ba9358f9e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,6 +7,9 @@ on: branches: [main, 3.1.x] workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/needs_release_notes.yml b/.github/workflows/needs_release_notes.yml index d789a926a2..b7b467d790 100644 --- a/.github/workflows/needs_release_notes.yml +++ b/.github/workflows/needs_release_notes.yml @@ -1,7 +1,8 @@ name: "Pull Request Labeler" on: - - pull_request_target + - pull_request_target: + types: [opened, reopened, synchronize] jobs: labeler: diff --git a/.github/workflows/nightly_wheels.yml b/.github/workflows/nightly_wheels.yml index 82a8676834..834d563722 100644 --- a/.github/workflows/nightly_wheels.yml +++ b/.github/workflows/nightly_wheels.yml @@ -6,6 +6,9 @@ on: - cron: '0 2 * * *' workflow_dispatch: +permissions: + contents: read + jobs: build_and_upload_nightly: name: Build and upload nightly wheels diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 054bc00e45..e3e3c446fa 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -1,6 +1,14 @@ name: Wheels -on: [push, pull_request] +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +permissions: + contents: read jobs: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bd6a3a91a7..5af29c960e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,9 @@ on: branches: [ main, 3.1.x ] workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -150,4 +153,4 @@ jobs: contains(needs.*.result, 'cancelled') run: exit 1 - name: Success - run: echo Success! \ No newline at end of file + run: echo Success!