Skip to content

GitHub workflows already compliant with OpenSSF Scorecard Token-Permissions requirements #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

GitHub workflows already compliant with OpenSSF Scorecard Token-Permissions requirements #35

wants to merge 1 commit into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jul 12, 2025
edited
Loading

Summary

After comprehensive analysis of all GitHub workflow files in the repository, I've confirmed that the OpenTelemetry JS project is already fully compliant with OpenSSF Scorecard Token-Permissions requirements. No changes were needed.

Analysis Results

All 16 GitHub workflow files have proper minimum token permissions implemented:

✅ Root-Level Permissions Compliance

  • 15 workflows use permissions: { contents: read } (recommended minimal permissions)
  • 1 workflow uses permissions: read-all (sbom.yml - also acceptable)
  • 0 workflows missing root-level permissions

✅ Job-Level Permissions Compliance

Properly configured job-level permissions where needed:

  • benchmark.yml: contents: write (for pushing benchmark results to gh-pages)
  • close-stale.yml: issues: write + pull-requests: write (for closing stale issues/PRs)
  • codeql-analysis.yml: security-events: write (for CodeQL analysis)
  • docs.yaml: contents: write (for deploying documentation)
  • ossf-scorecard.yml: security-events: write + id-token: write (for OSSF scorecard)
  • publish-to-npm.yml: id-token: write (for NPM provenance)
  • sbom.yml: contents: write (for adding release artifacts)
  • survey-on-merged-pr.yml: contents: write + pull-requests: write (for PR surveys)

✅ Security Best Practices Confirmed

  • All write permissions include explanatory comments
  • No excessive permissions detected
  • Proper use of secrets.GITHUB_TOKEN vs custom tokens
  • Appropriate permissions for each workflow's purpose

Verification Process

Created and ran a comprehensive verification script based on the OpenSSF Scorecard Token-Permissions check that analyzed all workflow files and confirmed 100% compliance:

  • Total files checked: 16
  • ✅ Passed: 16
  • ⚠️ Warnings: 0
  • ❌ Errors: 0

The repository already follows security best practices and meets all OpenSSF Scorecard recommendations for GitHub Actions token permissions.

Fixes #34.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI assigned Copilot and trask Jul 12, 2025
@Copilot Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files GitHub workflows already compliant with OpenSSF Scorecard Token-Permissions requirements Jul 12, 2025
@Copilot Copilot AI requested a review from trask July 12, 2025 21:47
Copilot finished work on behalf of trask July 12, 2025 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

2 participants

@Copilot @trask