[PR #1] [MERGED] ci: add minimum workflow permissions #1

Closed
opened 2026-06-05 17:18:13 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/control-plane-api-demo/pull/1
Author: @jkennedyvz
Created: 3/27/2026
Status: Merged
Merged: 3/27/2026
Merged by: @jkennedyvz

Base: mainHead: ci/add-minimum-workflow-permissions


📝 Commits (1)

  • 445ec79 ci: add minimum workflow permissions

📊 Changes

2 files changed (+16 additions, -16 deletions)

View changed files

📝 .github/workflows/new-deployment.yml (+8 -8)
📝 .github/workflows/new-revision.yml (+8 -8)

📄 Description

Fixes 12 workflow permission findings across both workflow files.

Changes

  • Add top-level permissions: contents: read to both workflows — without this, the GITHUB_TOKEN inherits broad org/repo defaults (Rule 1)
  • Remove redundant pull_request trigger — secrets (DOCKER_PASSWORD, LANGSMITH_API_KEY, OPENAI_API_KEY) were accessible to PR authors who could modify the workflow file; the existing push: branches: [main] trigger already fires on PR merge (Rule 7)
  • SHA-pin all four docker/* third-party actions to prevent supply chain attacks via tag hijacking (Rule 6):
    • docker/setup-buildx-action@v38d2750c68a42422c14e847fe6c8ac0403b4cbd6f
    • docker/login-action@v3c94ce9fb468520275223c153574b00df6fe4bcc9
    • docker/metadata-action@v5c299e40c65443455700f0fdfc63efafe5b349051
    • docker/build-push-action@v5ca052bb54ab0790a636c9b5f226502c73d547a25

Files changed

  • .github/workflows/new-deployment.yml
  • .github/workflows/new-revision.yml

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/control-plane-api-demo/pull/1 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 3/27/2026 **Status:** ✅ Merged **Merged:** 3/27/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `ci/add-minimum-workflow-permissions` --- ### 📝 Commits (1) - [`445ec79`](https://github.com/langchain-ai/control-plane-api-demo/commit/445ec792b66641ccde80664ce514eb4940595656) ci: add minimum workflow permissions ### 📊 Changes **2 files changed** (+16 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/new-deployment.yml` (+8 -8) 📝 `.github/workflows/new-revision.yml` (+8 -8) </details> ### 📄 Description Fixes 12 workflow permission findings across both workflow files. ## Changes - **Add top-level `permissions: contents: read`** to both workflows — without this, the `GITHUB_TOKEN` inherits broad org/repo defaults (Rule 1) - **Remove redundant `pull_request` trigger** — secrets (`DOCKER_PASSWORD`, `LANGSMITH_API_KEY`, `OPENAI_API_KEY`) were accessible to PR authors who could modify the workflow file; the existing `push: branches: [main]` trigger already fires on PR merge (Rule 7) - **SHA-pin all four `docker/*` third-party actions** to prevent supply chain attacks via tag hijacking (Rule 6): - `docker/setup-buildx-action@v3` → `8d2750c68a42422c14e847fe6c8ac0403b4cbd6f` - `docker/login-action@v3` → `c94ce9fb468520275223c153574b00df6fe4bcc9` - `docker/metadata-action@v5` → `c299e40c65443455700f0fdfc63efafe5b349051` - `docker/build-push-action@v5` → `ca052bb54ab0790a636c9b5f226502c73d547a25` ## Files changed - `.github/workflows/new-deployment.yml` - `.github/workflows/new-revision.yml` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:18:13 -04:00
yindo closed this issue 2026-06-05 17:18:13 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/control-plane-api-demo#1