Skip to content

Add minimum token permissions for all GitHub workflow files #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add minimum token permissions for all GitHub workflow files #17

wants to merge 2 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jul 12, 2025
edited
Loading

This PR adds minimum token permissions for all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations.

Overview

The OpenSSF Scorecard Token-Permissions check requires that all GitHub workflow files have a root-level permissions: block to limit token access to the minimum required permissions. This PR addresses that requirement by adding permissions: contents: read to all workflow files that were missing this security configuration.

Changes Made

  • 16 workflow files updated with new root-level permissions blocks
  • 2 workflow files already had proper permissions (fossa.yml, ossf-scorecard.yml)
  • All changes follow the existing formatting patterns in each file
  • No existing functionality impacted

Files Updated

All files now have a root-level permissions block with contents: read:

  • .github/workflows/backport.yml
  • .github/workflows/changelog.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/component-owners.yml
  • .github/workflows/core_contrib_test_0.yml
  • .github/workflows/lint_0.yml
  • .github/workflows/misc_0.yml
  • .github/workflows/package-prepare-patch-release.yml
  • .github/workflows/package-prepare-release.yml
  • .github/workflows/package-release.yml
  • .github/workflows/prepare-patch-release.yml
  • .github/workflows/prepare-release-branch.yml
  • .github/workflows/release.yml
  • .github/workflows/test_0.yml
  • .github/workflows/test_1.yml
  • .github/workflows/test_2.yml

Security Benefits

  • Principle of least privilege: Each workflow now explicitly declares minimum required permissions
  • Reduced attack surface: Limits potential damage if a workflow is compromised
  • OpenSSF Scorecard compliance: Improves the project's security score
  • Explicit permission model: Makes token usage transparent and auditable

Job-Level Permissions Preserved

Existing job-level permissions for specialized functionality remain intact:

  • component-owners.yml: Job retains issues: write and pull-requests: write for PR/issue management
  • ossf-scorecard.yml: Job retains security-events: write and id-token: write for code scanning

Verification

All 18 workflow files have been verified to:

  • ✅ Pass OpenSSF Scorecard Token-Permissions requirements
  • ✅ Parse as valid YAML
  • ✅ Maintain existing functionality
  • ✅ Follow consistent formatting patterns

Fixes #16.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI assigned Copilot and trask Jul 12, 2025
@Copilot Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jul 12, 2025
@Copilot Copilot AI requested a review from trask July 12, 2025 22:30
Copilot finished work on behalf of trask July 12, 2025 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files
2 participants
@Copilot @trask