Skip to content

ci: declare contents:read on CI workflow#2437

Open
arpitjain099 wants to merge 1 commit into
tensorflow:masterfrom
arpitjain099:chore/ci-permissions
Open

ci: declare contents:read on CI workflow#2437
arpitjain099 wants to merge 1 commit into
tensorflow:masterfrom
arpitjain099:chore/ci-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026

The CI workflow runs three notebook-validation jobs (nbfmt, nblint, outputs-removed) against the PR diff. None of them write to the repo or comment on the PR; they only invoke actions/setup-python, actions/checkout, and Python tools from tensorflow-docs.

This patch pins the workflow to permissions: contents: read. With it set:

  • the workflow token can't be widened by a future change to the repo-default token grant
  • the SLSA / OpenSSF Scorecard Token-Permissions check goes green for this file
  • the explicit scope keeps the contract documented in-file

Style matches the other workflows in this repo that already declare permissions.

No behavioural change to the three jobs.

@arpitjain099
ci: declare contents:read on CI workflow
b9787d4 
CI runs three notebook-only jobs (nbfmt, nblint, outputs-removed)
against the diff. None touch the GitHub API beyond actions/checkout.
contents:read is the minimum.

Matches the per-job permissions blocks already used in
notebook-pr-bot.yml and the workflow-level scopes documented in
build-and-deploy.yml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 14, 2026 01:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099