The Thermos service-isolation workflow previously ran on pull_request and exposed DOPPLER_TOKEN_THERMOS_DEV at job scope, allowing PR-controlled code to run with Doppler-injected secrets and creating a secret-exposure risk.
Description
Removed the pull_request trigger so the workflow only runs on trusted push branches and workflow_dispatch (file: .github/workflows/thermos_service_isolation_tests.yml).
Dropped the unneeded pull-requests: write permission and left contents: read for the job to reduce privileges.
Scoped DOPPLER_TOKEN_THERMOS_DEV from job-level env into the single Run Service Isolation Tests step so the secret is only available for the one command that needs it (file: .github/workflows/thermos_service_isolation_tests.yml).
Simplified the concurrency group expression to avoid referencing PR-specific metadata.
Testing
Ran a validation script (python - <<'PY' ... PY) that confirmed the workflow no longer contains a pull_request trigger and that DOPPLER_TOKEN_THERMOS_DEV is not present before the steps block, and it passed.
Ran git diff --check which passed without errors.
Committed the change locally and prepared the PR titled fix(ci): restrict thermos service isolation secrets (commit present in branch).
@kaavee315checks…codex/propose-fix-for-exposed-doppler-token → master1 files · +2 −7review: @acsrujanreview: @abir-taheerreview: @anshugarg15updated 1w ago