Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#69

Open
peter-matkovski wants to merge 5 commits into
mainfrom
ci/workflow-least-privilege-permissions
Open

CI: add least-privilege permissions to GitHub Actions workflows#69
peter-matkovski wants to merge 5 commits into
mainfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 4 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Comment on lines +10 to +11
contents: read
pull-requests: read

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Create release on GitHub step uses ncipollo/release-action@v1, which needs contents: write to create the release and its tag (per the action's README). With contents: read this step will fail with 403 on the next release, and CodeQL still closes the alert since a block exists, so the break only surfaces at release time. pull-requests is unused here (the PR ref is read from the event payload, not the API), so drop it.

Suggested change
contents: read
pull-requests: read
contents: write


permissions:
contents: read
pull-requests: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow runs on schedule/workflow_dispatch and never touches the PR API (the Slack step uses a bot token). pull-requests: write is unused, so it can be dropped, leaving only contents: read.

Suggested change
pull-requests: write

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants