Skip to content

tighten github workflow permissions #7624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bbrks merged 2 commits into from
Jul 10, 2025
Merged

tighten github workflow permissions #7624

bbrks merged 2 commits into from
Jul 10, 2025

Conversation

@torcolvin
Copy link
Collaborator

@torcolvin torcolvin commented Jul 10, 2025

Copilot AI review requested due to automatic review settings July 10, 2025 14:55
Copilot AI reviewed Jul 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR tightens GitHub workflow permissions to improve security posture by implementing the principle of least privilege, as identified through security code scanning. The changes add explicit permission declarations to limit workflow access to only what's necessary for each job.

  • Adds explicit permissions blocks to all workflow files with minimal required permissions
  • Updates trigger paths to include the workflow files themselves for better dependency tracking
  • Grants pull-requests: write permission only where needed for PR operations

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File Description
.github/workflows/service.yml Adds read-only content permissions and includes workflow file in trigger paths
.github/workflows/openapi.yml Adds read-only content permissions and expands trigger paths for configuration files
.github/workflows/openapi-pr.yml Adds read-only content permissions plus PR write access for PR operations
.github/workflows/ci.yml Adds read-only content permissions

@github-actions
Copy link

github-actions bot commented Jul 10, 2025

Redocly previews

@torcolvin torcolvin requested a review from bbrks July 10, 2025 16:58
@bbrks bbrks merged commit 136a3cb into main Jul 10, 2025
48 checks passed
@bbrks bbrks deleted the ci-tighten-codeql branch July 10, 2025 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bbrks bbrks bbrks approved these changes

Assignees

@bbrks bbrks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@torcolvin @bbrks