summaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-11 01:20:33 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-11 01:20:33 +0300
commit647db7d696b4c8285a9dd80be773aff7e9740840 (patch)
treeff9a87e0459d8a34c7c9e0df1308988dc62d3759 /.github
parent8b5c867897bad4278b29b318b493f2ceee8015e0 (diff)
downloadvyos-documentation-647db7d696b4c8285a9dd80be773aff7e9740840.tar.gz
vyos-documentation-647db7d696b4c8285a9dd80be773aff7e9740840.zip
ci(ai-validation): scope GitHub App token to permission-contents: read
The token is used only for read-only repo operations (sparse-checkout of reviewer branches.json, full checkout of vyos-1x, download of the reference-DB release asset). Without an explicit permission-* input the token inherits all installation permissions. Scope it down so a compromise cannot mutate either repo. Surfaced by CodeRabbit on #1960; applied to all three branch copies (rolling via #1969 follow-up + circinus #1959 + sagitta #1960) so the workflow stays in sync across the version-train branches. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to '.github')
-rw-r--r--.github/workflows/ai-validation.yml5
1 files changed, 5 insertions, 0 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml
index 36f5cb6c..1265b789 100644
--- a/.github/workflows/ai-validation.yml
+++ b/.github/workflows/ai-validation.yml
@@ -209,6 +209,11 @@ jobs:
private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }}
owner: VyOS-Networks
repositories: vyos-1x,vyos-docs-opus-reviewer
+ # Token is used only for read-only operations: sparse-checkout
+ # of branches.json from the reviewer repo, full checkout of
+ # vyos-1x, and download of the reference-DB release asset. No
+ # write back to either repo. Scope the App token accordingly.
+ permission-contents: read
- name: Sparse-checkout branches.json from reviewer
if: steps.secrets-check.outputs.skip != 'true'