Skip to content

Verify GitHub workflow permissions compliance for OpenSSF Scorecard requirements #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Verify GitHub workflow permissions compliance for OpenSSF Scorecard requirements #33

wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Jul 12, 2025
edited
Loading

Summary

This PR addresses the Token-Permissions check from the OpenSSF Scorecard recommendations by verifying that all GitHub workflow files have proper minimum token permissions defined.

Analysis Results

After comprehensive analysis of all 52 GitHub workflow files in .github/workflows/, I found that the repository is already fully compliant with the OpenSSF Scorecard Token-Permissions requirements.

Current Compliance Status ✅

All workflow files properly implement the security best practices:

  • Root-level permissions: Every workflow has a permissions: block at the root level
  • Minimum permissions: Most workflows use permissions: contents: read (recommended minimum)
  • Alternative format: Some workflows use permissions: read-all (acceptable alternative)
  • Job-level permissions: Jobs requiring additional permissions have appropriate job-level permissions defined
  • Proper positioning: All permissions blocks are correctly placed after the on: block

Examples of Proper Implementation

Standard format (most workflows):

name: Build
on:
  push:
    branches: [main]
permissions:
  contents: read

Alternative format (some workflows):

name: OSSF Scorecard
on:
  push:
    branches: [main]
permissions: read-all

Job-level permissions (when needed):

jobs:
  analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # required for Code scanning upload
      id-token: write         # required for GitHub OIDC token

Verification Script

Created a comprehensive verification script (verify_all_workflow_permissions.py) that:

  • Scans all workflow files recursively
  • Validates root-level permissions compliance
  • Analyzes job-level permissions
  • Provides detailed reporting with error/warning classification

The script confirmed 52/52 workflows passed validation.

Impact

  • ✅ OpenSSF Scorecard Token-Permissions check should pass
  • ✅ Repository maintains security best practices
  • ✅ No functional changes required - all workflows already compliant
  • ✅ Future workflow additions can be validated using the provided script

Fixes #32.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Verify GitHub workflow permissions compliance for OpenSSF Scorecard requirements Jul 12, 2025
Copilot AI requested a review from trask July 12, 2025 21:38
Copilot finished work on behalf of trask July 12, 2025 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

2 participants

@trask