From a716cac070c8899b0c1ee1302bab1c06eaffb24c Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Fri, 22 May 2026 17:36:58 +0100 Subject: [PATCH 1/2] ci: don't persist GITHUB_TOKEN in checkouts actions/checkout writes the workflow GITHUB_TOKEN to .git/config by default so subsequent steps can reuse it for git operations. Nothing in this repo's workflows needs that: no step does git push / tag / commit, the submodule is HTTPS-public, and the two git+ssh dependencies in package-lock.json resolve to public ably-forks repos via the existing URL rewrite. Opt out across every checkout so the token is wiped from disk once checkout completes. --- .github/workflows/bundle-report.yml | 2 ++ .github/workflows/check.yml | 2 ++ .github/workflows/docs.yml | 4 ++++ .github/workflows/publish-cdn.yml | 1 + .github/workflows/react.yml | 2 ++ .github/workflows/spec-coverage-report.yml | 2 ++ .github/workflows/test-browser.yml | 1 + .github/workflows/test-node.yml | 1 + .github/workflows/test-package.yml | 1 + 9 files changed, 16 insertions(+) diff --git a/.github/workflows/bundle-report.yml b/.github/workflows/bundle-report.yml index b25edc8bf..50e1bd5d4 100644 --- a/.github/workflows/bundle-report.yml +++ b/.github/workflows/bundle-report.yml @@ -13,6 +13,8 @@ jobs: id-token: write steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + with: + persist-credentials: false - name: Reconfigure git to use HTTP authentication run: > git config --global url."https://github.com/".insteadOf diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 554e2b4aa..8e0611b0f 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -10,6 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + with: + persist-credentials: false - name: Reconfigure git to use HTTP authentication run: > git config --global url."https://github.com/".insteadOf diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index fccd02c1e..5e38cb6d4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Use Node.js 20.x uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 @@ -39,6 +41,8 @@ jobs: id-token: write steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Download typedoc artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 diff --git a/.github/workflows/publish-cdn.yml b/.github/workflows/publish-cdn.yml index 4571ac18c..cdda17938 100644 --- a/.github/workflows/publish-cdn.yml +++ b/.github/workflows/publish-cdn.yml @@ -17,6 +17,7 @@ jobs: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: ref: ${{ github.event.inputs.version }} + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1 with: diff --git a/.github/workflows/react.yml b/.github/workflows/react.yml index 6e5248e1f..c1183fa05 100644 --- a/.github/workflows/react.yml +++ b/.github/workflows/react.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + with: + persist-credentials: false - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1 with: node-version: 20 diff --git a/.github/workflows/spec-coverage-report.yml b/.github/workflows/spec-coverage-report.yml index 60f67e2fc..5562a8483 100644 --- a/.github/workflows/spec-coverage-report.yml +++ b/.github/workflows/spec-coverage-report.yml @@ -13,6 +13,8 @@ jobs: id-token: write steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + with: + persist-credentials: false - name: Reconfigure git to use HTTP authentication run: > git config --global url."https://github.com/".insteadOf diff --git a/.github/workflows/test-browser.yml b/.github/workflows/test-browser.yml index 9e24eff0d..4f72bab96 100644 --- a/.github/workflows/test-browser.yml +++ b/.github/workflows/test-browser.yml @@ -17,6 +17,7 @@ jobs: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: submodules: 'recursive' + persist-credentials: false - name: Reconfigure git to use HTTP authentication run: > git config --global url."https://github.com/".insteadOf diff --git a/.github/workflows/test-node.yml b/.github/workflows/test-node.yml index 06122708c..7ca62dff8 100644 --- a/.github/workflows/test-node.yml +++ b/.github/workflows/test-node.yml @@ -17,6 +17,7 @@ jobs: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: submodules: 'recursive' + persist-credentials: false - name: Reconfigure git to use HTTP authentication run: > git config --global url."https://github.com/".insteadOf diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml index d1cee64ff..17c0fc2bb 100644 --- a/.github/workflows/test-package.yml +++ b/.github/workflows/test-package.yml @@ -12,6 +12,7 @@ jobs: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: submodules: true + persist-credentials: false - name: Use Node.js 20.x uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1 with: From fff18053a55673c628f7698dc7eccb0c0bee8ea7 Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Fri, 22 May 2026 17:58:30 +0100 Subject: [PATCH 2/2] ci: scope GITHUB_TOKEN to least privilege Add explicit `permissions:` blocks so each workflow's GITHUB_TOKEN is narrowed to what the job actually needs. Most workflows only read the repo (contents: read) and that is declared at the workflow level so the default is restrictive. The docs publish job continues to need deployments: write + id-token: write for the AWS-OIDC role and the GitHub Deployment that powers the docs preview, with contents: read added so the override does not lose checkout access. The features caller needs id-token: write so the reusable workflow's configure-aws-credentials step can assume its role. --- .github/workflows/check.yml | 3 +++ .github/workflows/docs.yml | 4 ++++ .github/workflows/features.yml | 3 +++ .github/workflows/react.yml | 3 +++ .github/workflows/test-browser.yml | 3 +++ .github/workflows/test-node.yml | 3 +++ .github/workflows/test-package.yml | 3 +++ 7 files changed, 22 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 8e0611b0f..08fc6ed4d 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 5e38cb6d4..c5101d8a7 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,6 +7,9 @@ on: tags: - '*' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -37,6 +40,7 @@ jobs: needs: build runs-on: ubuntu-latest permissions: + contents: read deployments: write id-token: write steps: diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml index 568f55933..a1a99f349 100644 --- a/.github/workflows/features.yml +++ b/.github/workflows/features.yml @@ -8,6 +8,9 @@ on: jobs: build: + permissions: + contents: read + id-token: write uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main with: repository-name: ably-js diff --git a/.github/workflows/react.yml b/.github/workflows/react.yml index c1183fa05..12f5b7da7 100644 --- a/.github/workflows/react.yml +++ b/.github/workflows/react.yml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/test-browser.yml b/.github/workflows/test-browser.yml index 4f72bab96..ebf6d27cb 100644 --- a/.github/workflows/test-browser.yml +++ b/.github/workflows/test-browser.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: test-browser: runs-on: ubuntu-22.04 diff --git a/.github/workflows/test-node.yml b/.github/workflows/test-node.yml index 7ca62dff8..cf6d568fe 100644 --- a/.github/workflows/test-node.yml +++ b/.github/workflows/test-node.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: test-node: runs-on: ubuntu-latest diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml index 17c0fc2bb..76ec42aca 100644 --- a/.github/workflows/test-package.yml +++ b/.github/workflows/test-package.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: test-npm-package: runs-on: ubuntu-latest