refactor: apply least privilege principle to workflow permissions #389
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move write permissions from top-level to job-level scope to follow security best practices. This ensures each job only has the minimum permissions needed to perform its specific tasks. Changes: - build-pull-requests.yml: Move checks/pull-requests write to run-tests job - test.yml: Move checks/pull-requests write to specific PR comment jobs - codeql-analysis.yml: Move security-events write to analyze job - build.yml: Add explanatory comments for existing job-level permissions - claude.yml: Add explanatory comments for required write permissions
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors GitHub Actions workflow permissions to follow the principle of least privilege by moving write permissions from workflow-level scope to job-level scope. This security improvement ensures that each job only receives the minimum permissions required to perform its specific tasks, reducing the attack surface if a workflow is compromised.
Key Changes:
- Moved write permissions (checks, pull-requests, security-events, packages, attestations) from top-level to job-level scope
- Added explanatory comments documenting why each permission is required
- Reorganized permission declarations for better readability with inline comments
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/test.yml |
Moved pull-requests and checks write permissions to specific PR comment jobs that need them |
.github/workflows/codeql-analysis.yml |
Moved security-events write permission to the analyze job that uploads scan results |
.github/workflows/claude.yml |
Added explanatory comments for existing job-level permissions |
.github/workflows/build.yml |
Added explanatory comments for existing job-level permissions and reorganized declarations |
.github/workflows/build-pull-requests.yml |
Moved pull-requests and checks write permissions to run-tests job |
Uncomment repo_token configuration to enable the Branch-Protection check. This requires a fine-grained PAT with "Administration: Read-only" permission to be added as a repository secret named SCORECARD_TOKEN.
Contributor
|
@DennisDyallo since these changes only affect our GitHub repo's workflows, I'm assuming they do not need to be mentioned in a release note. If that's incorrect, please let me know. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move write permissions from top-level to job-level scope to follow security best practices. This ensures each job only has the minimum permissions needed to perform its specific tasks.
Changes: