From 647db7d696b4c8285a9dd80be773aff7e9740840 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:20:33 +0300 Subject: ci(ai-validation): scope GitHub App token to permission-contents: read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The token is used only for read-only repo operations (sparse-checkout of reviewer branches.json, full checkout of vyos-1x, download of the reference-DB release asset). Without an explicit permission-* input the token inherits all installation permissions. Scope it down so a compromise cannot mutate either repo. Surfaced by CodeRabbit on #1960; applied to all three branch copies (rolling via #1969 follow-up + circinus #1959 + sagitta #1960) so the workflow stays in sync across the version-train branches. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 5 +++++ 1 file changed, 5 insertions(+) (limited to '.github/workflows') diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 36f5cb6c..1265b789 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -209,6 +209,11 @@ jobs: private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }} owner: VyOS-Networks repositories: vyos-1x,vyos-docs-opus-reviewer + # Token is used only for read-only operations: sparse-checkout + # of branches.json from the reviewer repo, full checkout of + # vyos-1x, and download of the reference-DB release asset. No + # write back to either repo. Scope the App token accordingly. + permission-contents: read - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' -- cgit v1.2.3