Skip to content

Add minimum token permissions for all GitHub workflow files #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add minimum token permissions for all GitHub workflow files #28

wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Jun 30, 2025
edited
Loading

This PR implements minimum token permissions for all GitHub workflow files to improve the repository's security posture according to OpenSSF Scorecard recommendations.

Changes Made

Fixed benchmark.yml:

  • Before: Root-level permissions with contents: write and deployments: write
  • After: Root-level permissions: contents: read with write permissions moved to job level
# Before
permissions:
  contents: write
  deployments: write

# After  
permissions:
  contents: read

jobs:
  store_benchmark:
    permissions:
      contents: write
      deployments: write

Compliance Status

All 13 workflow files now comply with OpenSSF Scorecard token-permissions requirements:

12 files with permissions: contents: read:

  • benchmark.yml (fixed)
  • ci.yml, clang-tidy.yaml, cmake_install.yml, codeql-analysis.yml
  • cppcheck.yml, dependencies_image.yml, fossa.yml, iwyu.yml
  • project_management_comment.yml, project_management_issue_open.yml, stale.yml

1 file with permissions: read-all:

  • ossf-scorecard.yml (acceptable per OpenSSF guidelines)

Security Impact

  • Implements principle of least privilege for GitHub Actions tokens
  • Root-level permissions now limited to read-only access
  • Write permissions only granted at job level where actually needed
  • Maintains all existing functionality while improving security posture

Fixes #27.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jun 30, 2025
Copilot AI requested a review from trask June 30, 2025 05:18
Copilot finished work on behalf of trask June 30, 2025 05:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

3 participants

@trask @opentelemetrybot