All eleven workflow files under .github/workflows/ — actionlint.yml, bashate.yml, copyrights.yml, markdown-lint.yml, pdd.yml, rake.yml, reuse.yml, shellcheck.yml, typos.yml, xcop.yml, yamllint.yml — omit any permissions: declaration, at the workflow level and inside every job.
Without an explicit declaration the GITHUB_TOKEN issued to each job falls back to the repository default, which on legacy-default repositories is the full write set: contents: write, issues: write, pull-requests: write, and the rest. None of these workflows needs that. Every one of them checks out the tree and runs a third-party linter or formatter against the working copy; none calls git push, gh, or any write endpoint back to the repository. A compromised action version, or a mutable tag swapped under one of the @v6 / @master references already used here, would inherit that same write scope.
Fix: add permissions: contents: read at the top of each of the eleven workflow files. The rake workflow needs no more than contents: read either, since bundle exec rake does not write back to the repository.
All eleven workflow files under
.github/workflows/—actionlint.yml,bashate.yml,copyrights.yml,markdown-lint.yml,pdd.yml,rake.yml,reuse.yml,shellcheck.yml,typos.yml,xcop.yml,yamllint.yml— omit anypermissions:declaration, at the workflow level and inside every job.Without an explicit declaration the
GITHUB_TOKENissued to each job falls back to the repository default, which on legacy-default repositories is the full write set:contents: write,issues: write,pull-requests: write, and the rest. None of these workflows needs that. Every one of them checks out the tree and runs a third-party linter or formatter against the working copy; none callsgit push,gh, or any write endpoint back to the repository. A compromised action version, or a mutable tag swapped under one of the@v6/@masterreferences already used here, would inherit that same write scope.Fix: add
permissions: contents: readat the top of each of the eleven workflow files. Therakeworkflow needs no more thancontents: readeither, sincebundle exec rakedoes not write back to the repository.