Skip to content

fix: add explicit permissions to validate-renovate workflow#1868

Merged
markscott-ms merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/validate-renovate-permissions
Nov 27, 2025
Merged

fix: add explicit permissions to validate-renovate workflow#1868
markscott-ms merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/validate-renovate-permissions

Conversation

@rocketstack-matt
Copy link
Member

@rocketstack-matt rocketstack-matt commented Nov 27, 2025

Description

Adds minimal read-only permissions to follow the principle of least privilege. This workflow only validates Renovate config and doesn't need any write access.

Fixes code scanning alert #41 (CWE-275)

https://github.com/finos/architecture-as-code/security/code-scanning/41

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Shared (shared/)
  • CALM Widgets (calm-widgets/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • Documentation (docs/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Commit Message Format ✅

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

@rocketstack-matt
fix: add explicit permissions to validate-renovate workflow
2a64f66 
Adds minimal read-only permissions to follow the principle of least
privilege. This workflow only validates Renovate config and doesn't
need any write access.

Fixes code scanning alert finos#41 (CWE-275)
Copilot AI review requested due to automatic review settings November 27, 2025 14:52
@rocketstack-matt rocketstack-matt requested a review from a team as a code owner November 27, 2025 14:52
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by adding explicit read-only permissions to the validate-renovate workflow, addressing CWE-275 (Permissive Access Control). The change implements the principle of least privilege by limiting the workflow to only the permissions it needs.

  • Adds a permissions block with contents: read to the validate-renovate workflow
  • Aligns with existing security practices already implemented in other workflows in the repository
  • Remediates code scanning alert #41

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@markscott-ms markscott-ms merged commit 108f6ad into finos:main Nov 27, 2025
19 checks passed
@rocketstack-matt rocketstack-matt deleted the fix/validate-renovate-permissions branch December 8, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@markscott-ms markscott-ms markscott-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rocketstack-matt @markscott-ms