Skip to content

Add minimum token permissions for all GitHub workflow files #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add minimum token permissions for all GitHub workflow files #58

wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Jun 30, 2025
edited
Loading

This PR implements minimum token permissions for all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations.

Changes Made

Root-Level Permissions Compliance

  • 12 workflow files were already compliant with proper root-level permissions:
    • ci.yml, clang-tidy.yaml, cmake_install.yml, codeql-analysis.yml, cppcheck.yml, dependencies_image.yml, fossa.yml, iwyu.yml, project_management_comment.yml, project_management_issue_open.yml, stale.yml - all have permissions: contents: read
    • ossf-scorecard.yml - has permissions: read-all (compliant)

Fixed Non-Compliant File

  • benchmark.yml - Had overly broad root-level permissions that violated the principle of least privilege:
    • Before: Root-level contents: write and deployments: write permissions
    • After: Root-level contents: read permission with job-specific write permissions

Job-Level Permissions

Added appropriate job-level permissions to the store_benchmark job in benchmark.yml:

permissions:
  contents: write # required for pushing benchmark results to gh-pages
  deployments: write # required for GitHub Pages deployment

Security Benefits

  1. Reduced Attack Surface: Write permissions are now scoped only to jobs that actually need them
  2. Principle of Least Privilege: Root-level permissions limited to read-only access
  3. OpenSSF Scorecard Compliance: Addresses the Token-Permissions check recommendations
  4. Minimal Changes: Only modified what was necessary, preserving existing functionality

Verification

All 13 workflow files now pass the Token-Permissions security check:

  • ✅ Root-level permissions are either contents: read or read-all
  • ✅ Write permissions are properly scoped to specific jobs that require them
  • ✅ Existing workflow functionality is preserved

Fixes #57.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jun 30, 2025
Copilot AI requested a review from trask June 30, 2025 21:51
Copilot finished work on behalf of trask June 30, 2025 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

3 participants

@trask @opentelemetrybot