From 6dcd68bb6147062b66bc20be35d9b7417c0fb220 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 13 May 2026 06:05:52 +0000 Subject: [PATCH 1/2] Add explicit permissions to CI workflow Declare workflow-level contents: read as the default least-privilege scope, and override per-job to contents: write for the build job because maven-dependency-submission-action posts to the Dependency submission API and that endpoint requires contents: write. This documents the actual scope needed by each part of the workflow rather than inheriting the repository default token permissions, which is the recommended hardening pattern. Signed-off-by: Arpit Jain --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 820eefb3..c242efa7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ "main" ] +permissions: + contents: read + jobs: build: @@ -13,6 +16,10 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] + # `Update dependency graph` step uses maven-dependency-submission-action, + # which posts to the Dependency submission API and requires `contents: write`. + permissions: + contents: write steps: - uses: actions/checkout@v4 From 8cc2c11e565edf82d81a72e00b33b250160e5039 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 13 May 2026 16:08:35 +0000 Subject: [PATCH 2/2] Drop dependency-graph step, simplify perms to contents: read Per @jdneo's review: the 'Update dependency graph' step (maven-dependency -submission-action) has been failing in CI; removing it lets the workflow hold to the strict workflow-level contents: read default with no per-job write override needed. Net change vs main: - workflow-level permissions: contents: read (new) - Update dependency graph step: removed - per-job permissions: contents: write override on build: not added Signed-off-by: Arpit Jain --- .github/workflows/ci.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c242efa7..a77cc802 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,10 +16,6 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - # `Update dependency graph` step uses maven-dependency-submission-action, - # which posts to the Dependency submission API and requires `contents: write`. - permissions: - contents: write steps: - uses: actions/checkout@v4 @@ -45,8 +41,3 @@ jobs: with: run: >- ./mvnw clean verify --batch-mode - - # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 - continue-on-error: true