diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index ceb73c2..7c99ee0 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -18,6 +18,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# AAASM-3993: least-privilege default token — this workflow only checks out and +# runs tests/builds; no job pushes, comments, or deploys. +permissions: + contents: read + jobs: benchmark: name: Run performance benchmarks diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e911281..f89ae41 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -59,6 +59,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# AAASM-3993: least-privilege default token — this workflow only checks out and +# runs tests/builds; no job pushes, comments, or deploys. +permissions: + contents: read + jobs: build-and-test_all: # name: Run all tests and organize all test reports diff --git a/.github/workflows/ci_includes_e2e_test.yaml b/.github/workflows/ci_includes_e2e_test.yaml index 68716ef..c121cb6 100644 --- a/.github/workflows/ci_includes_e2e_test.yaml +++ b/.github/workflows/ci_includes_e2e_test.yaml @@ -25,6 +25,11 @@ on: - "pyproject.toml" - "uv.lock" +# AAASM-3993: least-privilege default token — this workflow only checks out and +# runs tests/builds; no job pushes, comments, or deploys. +permissions: + contents: read + jobs: build-and-test_all: # name: Run all tests and organize all test reports diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml index bc6f3ee..241250d 100644 --- a/.github/workflows/native-core-build.yml +++ b/.github/workflows/native-core-build.yml @@ -14,6 +14,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# AAASM-3993: least-privilege default token — this workflow only checks out and +# runs tests/builds; no job pushes, comments, or deploys. +permissions: + contents: read + jobs: build-native-core: runs-on: ubuntu-latest diff --git a/.github/workflows/rw_build_and_test.yaml b/.github/workflows/rw_build_and_test.yaml index 7d62ebe..15899b2 100644 --- a/.github/workflows/rw_build_and_test.yaml +++ b/.github/workflows/rw_build_and_test.yaml @@ -18,7 +18,19 @@ on: description: "Set the Slack bot token for end-to-end test." required: false +# AAASM-3993: least-privilege default token. As a reusable workflow this also caps +# the GITHUB_TOKEN granted to the third-party workflows it calls; none need write. +permissions: + contents: read + jobs: + # AAASM-3994: these jobs call a third-party reusable workflow owned by a personal + # account (Chisanan232/GitHub-Action_Reusable_Workflows-Python). Trust is bounded + # by the 40-char commit-SHA pin on each `uses:` below — a moving tag/branch would + # let the owner alter behavior after review. Secrets are already scoped per call: + # only run_e2e-test receives e2e_test_api_token (Slack); unit/integration forward + # none. TODO(AAASM-3994): vendor this workflow into the ai-agent-assembly org (or + # pin a signed release) to drop the personal-account supply-chain dependency. run_unit-test: # name: Run all unit test items uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_uv_run_test.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master @ 2026-05-26 diff --git a/.github/workflows/rw_run_all_test_and_record.yaml b/.github/workflows/rw_run_all_test_and_record.yaml index b4c829d..4704c98 100644 --- a/.github/workflows/rw_run_all_test_and_record.yaml +++ b/.github/workflows/rw_run_all_test_and_record.yaml @@ -24,6 +24,11 @@ on: description: "The API token for uploading testing coverage report to Coveralls." required: false +# AAASM-3993: least-privilege default token. As a reusable workflow this also caps +# the GITHUB_TOKEN granted to the third-party workflows it calls; none need write. +permissions: + contents: read + jobs: build-and-test: # name: Run all tests and organize all test reports @@ -34,6 +39,14 @@ jobs: secrets: e2e_test_api_token: ${{ secrets.e2e_test_api_token }} + # AAASM-3994: the *_codecov_finish jobs below call a third-party reusable workflow + # owned by a personal account (Chisanan232/GitHub-Action_Reusable_Workflows-Python). + # Trust is bounded by the 40-char commit-SHA pin on each `uses:` — a moving ref + # would let the owner alter behavior after review. Secrets are already minimized: + # each call forwards ONLY codecov_token; sonar_token is used solely by the local + # sonarcloud_finish job (SonarSource action) and never forwarded to the third party. + # TODO(AAASM-3994): vendor this workflow into the ai-agent-assembly org (or pin a + # signed release) to drop the personal-account supply-chain dependency. unit-test_codecov_finish: # name: Organize and generate the testing report and upload it to Codecov if: ${{ diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml index 678c28b..db55ed9 100644 --- a/.github/workflows/type-check.yml +++ b/.github/workflows/type-check.yml @@ -37,6 +37,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# AAASM-3993: least-privilege default token — this workflow only checks out and +# runs tests/builds; no job pushes, comments, or deploys. +permissions: + contents: read + jobs: verify-pep561-compliance: name: Verify PEP 561 Compliance