Skip to content

Add minimum token permissions for all GitHub workflow files #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add minimum token permissions for all GitHub workflow files #18

wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Jul 12, 2025
edited
Loading

This PR addresses the OpenSSF Scorecard Token-Permissions security requirements by ensuring all GitHub workflow files have proper minimum token permissions defined.

Analysis Results

After comprehensive analysis of all GitHub workflow files in the repository, I found that all workflows are already fully compliant with OpenSSF Scorecard Token-Permissions requirements:

dependabot-auto-approve.yml - Has permissions: { contents: read } at root level and pull-requests: write at job level
fossa.yml - Has permissions: { contents: read } at root level
ossf-scorecard.yml - Has permissions: read-all at root level and appropriate job-level permissions
php.yml - Has permissions: { contents: read } at root level
split_monorepo.yaml - Has permissions: { contents: read } at root level
update-dependabot-config.yml - Has permissions: { contents: read } at root level and contents: write at job level

Verification

Created and ran a comprehensive verification script that:

  • Scans all GitHub workflow files in the repository
  • Validates root-level permissions compliance
  • Analyzes job-level permissions for security best practices
  • Confirms all 6 workflow files pass OpenSSF Scorecard requirements

Security Compliance

All workflows follow the principle of least privilege:

  • Root-level permissions limited to read-all or contents: read
  • Job-level permissions only granted where explicitly needed
  • Write permissions properly scoped to specific jobs that require them

No changes were required as the repository already meets all OpenSSF Scorecard Token-Permissions security requirements.

Fixes #17.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jul 12, 2025
Copilot AI requested a review from trask July 12, 2025 22:04
Copilot finished work on behalf of trask July 12, 2025 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

2 participants

@trask