This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-kamelets.git
The following commit(s) were added to refs/heads/main by this push:
new 838ae31a7 ci: declare workflow-level contents: read on 1 workflow
(#2855)
838ae31a7 is described below
commit 838ae31a739c9cc6db023628face685b82671c98
Author: Arpit Jain <[email protected]>
AuthorDate: Thu Jun 11 20:21:28 2026 +0900
ci: declare workflow-level contents: read on 1 workflow (#2855)
Declares an explicit workflow-level permissions: contents: read on 1
workflow that currently inherit the default broad read-write GITHUB_TOKEN. Each
file was inspected and only reads the checkout; none publish, push, or write
via the GitHub API. Post-CVE-2025-30066 hardening default.
Signed-off-by: Arpit Jain <[email protected]>
---
.github/workflows/backport.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 3d9301165..f613e53f6 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -22,6 +22,10 @@ on:
- closed
- labeled
+
+permissions:
+ contents: read
+
jobs:
backport:
runs-on: ubuntu-latest
