[BRE-1333] [key-connector] Update workflow permissions

[gitclonebrian]

🎟️ Tracking

BRE-1333

📔 Objective

Limit scope of generated app token and ensure appropriate permissions are set at the workflow and job levels.

• explicitly defined empty permission set at workflow level
• added permission to app token generation step
• removed permissions from job level

Test run was successful.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.04%. Comparing base (5da3fe3) to head (e328fc2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #243   +/-   ##
=====================================
  Coverage   7.04%   7.04%           
=====================================
  Files         49      49           
  Lines       1818    1818           
  Branches      99      99           
=====================================
  Hits         128     128           
  Misses      1685    1685           
  Partials       5       5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – 5ed71984-9bdb-44a1-945a-3523cf426d99

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-32655	Nuget-Npgsql-8.0.2

[claude]

Claude finished @gitclonebrian's task —— View job

---

Code Review Complete

Summary

This PR implements principle of least privilege by restricting workflow-level permissions and moving content write access to the GitHub App token scope. The changes are well-executed and align with security best practices for GitHub Actions.

Findings

Finding 1: PR description could be more specific about the security improvement achieved

💭 The objective states "Limit scope of generated app token" but doesn't explain why this improves security or what the previous state was. Consider adding context about the principle of least privilege and explaining that this ensures the workflow token (GITHUB_TOKEN) has minimal permissions while the app token gets only the specific permissions needed.

Suggested improvement

## 📔 Objective
Apply principle of least privilege to workflow permissions per [BRE-1333](https://bitwarden.atlassian.net/browse/BRE-1333).

**Changes:**
- Set workflow-level permissions to empty (`{}`) to ensure GITHUB_TOKEN has no default permissions
- Removed `contents: write` and `pull-requests: write` from job-level permissions (no longer needed)
- Added `permissions-contents: write` to GitHub App token generation step (only component needing write access)
- Retained `id-token: write` at job level for Azure OIDC authentication

**Security benefit:** Limits exposure by ensuring only the generated app token (used for git operations) has repository write access, while the workflow's GITHUB_TOKEN operates with minimal permissions.

---

Finding 2: Missing pull-requests: write permission from app token configuration

⚠️ The previous configuration had pull-requests: write at the job level (line 23 in old version), but this permission is not included in the app token generation step. If this workflow creates or updates pull requests, it may fail. The test run linked in the PR description shows success, but verify whether PR operations are part of this workflow's functionality.

Context

Previous permissions at job level:

permissions:
  contents: write
  pull-requests: write
  id-token: write

Current permissions at job level:

permissions:
  id-token: write

Current app token permissions:

permission-contents: write

If this workflow needs to create/update PRs, you may need to add permission-pull-requests: write to the app token configuration.

---

Good Practices Observed

• ✅ Explicit empty permissions at workflow level prevents unintended permission inheritance
• ✅ Retained id-token: write at job level for Azure OIDC authentication (correctly scoped)
• ✅ App token permissions properly scoped to only required access
• ✅ Test run completed successfully before submitting PR

Action Items

1. Consider: Enhance PR description to explain the security rationale (Finding 1)
2. Verify: Confirm whether pull-requests: write is needed for this workflow (Finding 2) - if the test run was comprehensive and included all workflow paths, this may not be an issue

---