Skip to content

[WIP] Add minimum token permissions for all github workflow files #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[WIP] Add minimum token permissions for all github workflow files #6

wants to merge 2 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jul 1, 2025
edited
Loading

Add minimum token permissions for all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations.

Plan:

Step 1: Add Root-Level Permissions

  • Analyze current state - 16 files need root-level permissions added
  • Identify formatting patterns - Rule B applies (blank lines above/below permissions)
  • Create formatting analysis tools
  • Add permissions: contents: read to 16 workflow files
    • backport.yml
    • changelog.yml
    • codeql-analysis.yml
    • component-owners.yml
    • core_contrib_test_0.yml
    • lint_0.yml
    • misc_0.yml
    • package-prepare-patch-release.yml
    • package-prepare-release.yml
    • package-release.yml
    • prepare-patch-release.yml
    • prepare-release-branch.yml
    • release.yml
    • test_0.yml
    • test_1.yml
    • test_2.yml

Step 2: Add Job-Level Permissions

  • Analyze workflows that use secrets.GITHUB_TOKEN
  • Add appropriate write permissions for:
    • release.yml (needs contents: write for creating releases)
    • package-release.yml
    • prepare-release-branch.yml
    • package-prepare-patch-release.yml
    • prepare-patch-release.yml

Step 3: Handle Reusable Workflows

  • Check for any local reusable workflow calls (none found so far)

Files already compliant:

  • ✅ fossa.yml (has permissions: contents: read)
  • ✅ ossf-scorecard.yml (has permissions: read-all)

Fixes #5.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI assigned Copilot and trask Jul 1, 2025
@Copilot Copilot AI requested a review from trask July 1, 2025 00:05
@trask
Copy link
Collaborator

trask commented Jul 1, 2025

@copilot try again

@trask trask closed this Jul 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files
2 participants
@Copilot @trask