Skip to content

ci(documentation): cap GITHUB_TOKEN to contents: read#3291

Open
arpitjain099 wants to merge 2 commits into
redis:masterfrom
arpitjain099:chore/declare-workflow-perms
Open

ci(documentation): cap GITHUB_TOKEN to contents: read#3291
arpitjain099 wants to merge 2 commits into
redis:masterfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 25, 2026
edited by cursor Bot
Loading

Pins the default GITHUB_TOKEN to contents: read at workflow level. No GitHub API writes from the workflow.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

Note

Low Risk
CI-only permission tightening with an explicit write grant on the job that publishes docs; no runtime or application code changes.

Overview
Hardens the Documentation workflow by setting workflow-level permissions to contents: read, so the default GITHUB_TOKEN cannot write to the repo unless a job opts in.

The documentation job overrides with contents: write so the existing gh-pages push step can still publish generated docs.

Reviewed by Cursor Bugbot for commit ad10fc9. Bugbot is set up for automated code reviews on this repo. Configure here.

@arpitjain099
ci(documentation): cap GITHUB_TOKEN to contents: read
18d250d 
Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
cursor[bot]
cursor Bot reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 18d250d. Configure here.

Comment thread .github/workflows/documentation.yml
@nkaradzhov
Copy link
Copy Markdown
Collaborator

nkaradzhov commented May 26, 2026

@arpitjain099 thanks, i will have a look

nkaradzhov
nkaradzhov requested changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@nkaradzhov nkaradzhov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arpitjain099

Upload step pushes to gh-pages branch via npm run gh-pages (line 26-27), authenticating with GITHUB_TOKEN. With contents: read only, the push fails (403 Forbidden / remote: Permission denied).

"YAML validated locally" only checks syntax, not runtime token scope. No CI run on master/v4.0 push has exercised this yet.

Fix — least-privilege per job:

permissions:
  contents: read

jobs:
  documentation:
    permissions:
      contents: write   # required for gh-pages push
    runs-on: ubuntu-latest

Keeps workflow-level read-only default, grants write only to the job that needs it. Still a hardening win vs. the implicit default GITHUB_TOKEN scope.

@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 29, 2026

@arpitjain099

Upload step pushes to gh-pages branch via npm run gh-pages (line 26-27), authenticating with GITHUB_TOKEN. With contents: read only, the push fails (403 Forbidden / remote: Permission denied).

"YAML validated locally" only checks syntax, not runtime token scope. No CI run on master/v4.0 push has exercised this yet.

Fix — least-privilege per job:

permissions:
  contents: read

jobs:
  documentation:
    permissions:
      contents: write   # required for gh-pages push
    runs-on: ubuntu-latest

Keeps workflow-level read-only default, grants write only to the job that needs it. Still a hardening win vs. the implicit default GITHUB_TOKEN scope.

@nkaradzhov ok I'll check this out later tonight.

@arpitjain099
Grant job-level contents: write for gh-pages push
ad10fc9 
Per review feedback (@nkaradzhov): the Upload step pushes generated docs
to gh-pages via 'npm run gh-pages', which needs contents: write. Keeping
workflow-level contents: read as the least-privilege default and only
elevating the documentation job, per least-privilege-per-job pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 31, 2026

Thanks @nkaradzhov, you are absolutely right - the Upload step pushes to gh-pages so it needs contents: write. Updated to keep workflow-level contents: read as the default and elevate only the documentation job, per your least-privilege-per-job suggestion.

1 similar comment
@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 31, 2026

Thanks @nkaradzhov, you are absolutely right - the Upload step pushes to gh-pages so it needs contents: write. Updated to keep workflow-level contents: read as the default and elevate only the documentation job, per your least-privilege-per-job suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@nkaradzhov nkaradzhov nkaradzhov requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @nkaradzhov