mirror of
https://github.com/langchain-ai/control-plane-api-demo.git
synced 2026-07-01 20:44:05 -04:00
[PR #1] [MERGED] ci: add minimum workflow permissions #1
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/langchain-ai/control-plane-api-demo/pull/1
Author: @jkennedyvz
Created: 3/27/2026
Status: ✅ Merged
Merged: 3/27/2026
Merged by: @jkennedyvz
Base:
main← Head:ci/add-minimum-workflow-permissions📝 Commits (1)
445ec79ci: add minimum workflow permissions📊 Changes
2 files changed (+16 additions, -16 deletions)
View changed files
📝
.github/workflows/new-deployment.yml(+8 -8)📝
.github/workflows/new-revision.yml(+8 -8)📄 Description
Fixes 12 workflow permission findings across both workflow files.
Changes
permissions: contents: readto both workflows — without this, theGITHUB_TOKENinherits broad org/repo defaults (Rule 1)pull_requesttrigger — secrets (DOCKER_PASSWORD,LANGSMITH_API_KEY,OPENAI_API_KEY) were accessible to PR authors who could modify the workflow file; the existingpush: branches: [main]trigger already fires on PR merge (Rule 7)docker/*third-party actions to prevent supply chain attacks via tag hijacking (Rule 6):docker/setup-buildx-action@v3→8d2750c68a42422c14e847fe6c8ac0403b4cbd6fdocker/login-action@v3→c94ce9fb468520275223c153574b00df6fe4bcc9docker/metadata-action@v5→c299e40c65443455700f0fdfc63efafe5b349051docker/build-push-action@v5→ca052bb54ab0790a636c9b5f226502c73d547a25Files changed
.github/workflows/new-deployment.yml.github/workflows/new-revision.yml🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.