From d22ff418e40ec46050b2129364661aefbdbb4aff Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Fri, 15 May 2026 14:40:12 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 16 build/regen workflows Pins the default GITHUB_TOKEN to contents: read on every workflow in .github/workflows/. They are all native-library binding regen workflows (angle, assimp, dxvk, glfw, moltenvk, openal-soft, sdl2, shaderc, spirv-cross, spirv-reflect, swiftshader, vkd3d, vulkan-loader, wgpu) plus bindings-regeneration and codeowners checks. None call a GitHub API beyond the initial checkout. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain --- .github/workflows/angle.yml | 4 ++++ .github/workflows/assimp.yml | 4 ++++ .github/workflows/bindings-regeneration.yml | 3 +++ .github/workflows/codeowners.yml | 4 ++++ .github/workflows/dxvk.yml | 4 ++++ .github/workflows/glfw.yml | 4 ++++ .github/workflows/moltenvk.yml | 4 ++++ .github/workflows/openal-soft.yml | 4 ++++ .github/workflows/sdl2.yml | 4 ++++ .github/workflows/shaderc.yml | 4 ++++ .github/workflows/spirv-cross.yml | 4 ++++ .github/workflows/spirv-reflect.yml | 4 ++++ .github/workflows/swiftshader.yml | 4 ++++ .github/workflows/vkd3d.yml | 4 ++++ .github/workflows/vulkan-loader.yml | 4 ++++ .github/workflows/wgpu.yml | 4 ++++ 16 files changed, 63 insertions(+) diff --git a/.github/workflows/angle.yml b/.github/workflows/angle.yml index 821c6eb7bd..279c7bb453 100644 --- a/.github/workflows/angle.yml +++ b/.github/workflows/angle.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/Angle.cs - .github/workflows/angle.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/assimp.yml b/.github/workflows/assimp.yml index 70b7a45bbb..af29ccc942 100644 --- a/.github/workflows/assimp.yml +++ b/.github/workflows/assimp.yml @@ -11,6 +11,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/Assimp.cs - .github/workflows/assimp.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/bindings-regeneration.yml b/.github/workflows/bindings-regeneration.yml index 2480208f36..e92ef58ed4 100644 --- a/.github/workflows/bindings-regeneration.yml +++ b/.github/workflows/bindings-regeneration.yml @@ -5,6 +5,9 @@ on: # - cron: '0 0 * * Fri' workflow_dispatch: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 3434cc375a..2aba6ec3a6 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -6,6 +6,10 @@ on: pull_request: paths: - "CODEOWNERS" + +permissions: + contents: read + jobs: Validate: runs-on: ubuntu-latest diff --git a/.github/workflows/dxvk.yml b/.github/workflows/dxvk.yml index b3aa226b14..4d7cff94b4 100644 --- a/.github/workflows/dxvk.yml +++ b/.github/workflows/dxvk.yml @@ -10,6 +10,10 @@ on: - "ci/**" - "develop/**" - "main" + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/glfw.yml b/.github/workflows/glfw.yml index 050d3f0989..a1c53162a4 100644 --- a/.github/workflows/glfw.yml +++ b/.github/workflows/glfw.yml @@ -11,6 +11,10 @@ on: - "build/nuke/Native/Core.cs" - "build/nuke/Native/GLFW.cs" - .github/workflows/glfw.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/moltenvk.yml b/.github/workflows/moltenvk.yml index 4b839b841e..e21a9c94d1 100644 --- a/.github/workflows/moltenvk.yml +++ b/.github/workflows/moltenvk.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/MoltenVK.cs - .github/workflows/moltenvk.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/openal-soft.yml b/.github/workflows/openal-soft.yml index c0be726225..273b80ac29 100644 --- a/.github/workflows/openal-soft.yml +++ b/.github/workflows/openal-soft.yml @@ -11,6 +11,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/OpenALSoft.cs - .github/workflows/openal-soft.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/sdl2.yml b/.github/workflows/sdl2.yml index da4a5ddc29..683120813d 100644 --- a/.github/workflows/sdl2.yml +++ b/.github/workflows/sdl2.yml @@ -13,6 +13,10 @@ on: - build/nuke/Native/SilkDroid.cs - build/nuke/Build.Support.cs - .github/workflows/sdl2.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/shaderc.yml b/.github/workflows/shaderc.yml index b88d612f9b..e4bfdf380b 100644 --- a/.github/workflows/shaderc.yml +++ b/.github/workflows/shaderc.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/Shaderc.cs - .github/workflows/shaderc.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/spirv-cross.yml b/.github/workflows/spirv-cross.yml index 22eeb19650..6db19208ce 100644 --- a/.github/workflows/spirv-cross.yml +++ b/.github/workflows/spirv-cross.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/SPIRVCross.cs - .github/workflows/spirv-cross.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/spirv-reflect.yml b/.github/workflows/spirv-reflect.yml index 1e74cfb226..17a995d4cb 100644 --- a/.github/workflows/spirv-reflect.yml +++ b/.github/workflows/spirv-reflect.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/SPIRVReflect.cs - .github/workflows/spirv-reflect.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/swiftshader.yml b/.github/workflows/swiftshader.yml index 98062f1ce4..b08f3684a1 100644 --- a/.github/workflows/swiftshader.yml +++ b/.github/workflows/swiftshader.yml @@ -11,6 +11,10 @@ on: - "ci/**" - "develop/**" - "main" + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/vkd3d.yml b/.github/workflows/vkd3d.yml index 9d1d0b6881..7f1aab8ab9 100644 --- a/.github/workflows/vkd3d.yml +++ b/.github/workflows/vkd3d.yml @@ -14,6 +14,10 @@ on: - build/nuke/Native/Vkd3d.cs - .github/workflows/vkd3d.yml - src/Microsoft/Vkd3dCompiler/* + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/vulkan-loader.yml b/.github/workflows/vulkan-loader.yml index 5bee21dc8b..82b0bc67e1 100644 --- a/.github/workflows/vulkan-loader.yml +++ b/.github/workflows/vulkan-loader.yml @@ -11,6 +11,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/VulkanLoader.cs - .github/workflows/vulkan-loader.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET' diff --git a/.github/workflows/wgpu.yml b/.github/workflows/wgpu.yml index 39bdec3fc6..93efccd5d6 100644 --- a/.github/workflows/wgpu.yml +++ b/.github/workflows/wgpu.yml @@ -10,6 +10,10 @@ on: - build/nuke/Native/Core.cs - build/nuke/Native/Wgpu.cs - .github/workflows/wgpu.yml + +permissions: + contents: read + jobs: Build: if: github.repository == 'dotnet/Silk.NET'