This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit ec84a5d
committed
fix(security): api-test-coverage — deny-by-default permissions
The workflow triggers on `pull_request` and runs PR-supplied scripts
(`tests/newman/run-all.sh`) inside a CI container, copying the entire
working tree in via `tar | docker exec`. With no `permissions:` block
the job inherits the repo-default GITHUB_TOKEN scope, which on some
org configs grants `pull-requests: write` (comment/approve/push back).
Add a workflow-level + job-level `permissions: contents: read`. The
suite only needs to clone the PR ref. If a future step writes
artifacts/comments, scope it explicitly on that job rather than
relaxing the default.
Pinning `pgvector/pgvector:pg16` and `nextcloud:32-apache` to digests
(reviewer's second recommendation) is left as a follow-up — getting
the wrong digest breaks CI immediately and digest lookup needs Docker
Hub access at commit time.
Refs: #1419 review (blocker 8) — discussion_r31874944481 parent e3742bb commit ec84a5d
1 file changed
Lines changed: 11 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
16 | 25 | | |
17 | 26 | | |
18 | 27 | | |
| |||
30 | 39 | | |
31 | 40 | | |
32 | 41 | | |
| 42 | + | |
| 43 | + | |
33 | 44 | | |
34 | 45 | | |
35 | 46 | | |
| |||
0 commit comments