diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 01:20:33 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 01:20:33 +0300 |
| commit | 647db7d696b4c8285a9dd80be773aff7e9740840 (patch) | |
| tree | ff9a87e0459d8a34c7c9e0df1308988dc62d3759 /.github | |
| parent | 8b5c867897bad4278b29b318b493f2ceee8015e0 (diff) | |
| download | vyos-documentation-647db7d696b4c8285a9dd80be773aff7e9740840.tar.gz vyos-documentation-647db7d696b4c8285a9dd80be773aff7e9740840.zip | |
ci(ai-validation): scope GitHub App token to permission-contents: read
The token is used only for read-only repo operations (sparse-checkout
of reviewer branches.json, full checkout of vyos-1x, download of the
reference-DB release asset). Without an explicit permission-* input
the token inherits all installation permissions. Scope it down so a
compromise cannot mutate either repo.
Surfaced by CodeRabbit on #1960; applied to all three branch copies
(rolling via #1969 follow-up + circinus #1959 + sagitta #1960) so the
workflow stays in sync across the version-train branches.
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/ai-validation.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 36f5cb6c..1265b789 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -209,6 +209,11 @@ jobs: private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }} owner: VyOS-Networks repositories: vyos-1x,vyos-docs-opus-reviewer + # Token is used only for read-only operations: sparse-checkout + # of branches.json from the reviewer repo, full checkout of + # vyos-1x, and download of the reference-DB release asset. No + # write back to either repo. Scope the App token accordingly. + permission-contents: read - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' |
