Skip to content

Add minimum token permissions for all GitHub workflow files #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add minimum token permissions for all GitHub workflow files #21

Copilot wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Jul 12, 2025
edited
Loading

This PR adds minimum token permissions to all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations, specifically addressing the Token-Permissions check.

Changes Made

Root-Level Permissions Added

  • Added permissions: contents: read to all workflows that only need basic read access
  • Maintained existing permissions: read-all for ossf-scorecard.yml (already compliant)
  • Applied proper formatting with blank lines above and below permissions blocks

Job-Level Permissions Added Where Needed

  • benchmarks.yml: Added contents: write (for gh-pages push) and pull-requests: write (for PR comments)
  • codeql-analysis.yml: Added security-events: write (for CodeQL results upload)
  • release.yml: Added contents: write (for GitHub releases)
  • prepare-release-branch.yml: Added pull-requests: write (for PR labels) to both jobs
  • prepare-patch-release.yml: Added pull-requests: write (for PR labels)

Template Updates

  • Updated all workflow templates (lint.yml.j2, test.yml.j2, misc.yml.j2) to include proper permissions
  • Regenerated workflow files from templates with updated permissions
  • Removed obsolete test_1.yml file that was no longer generated

Files Updated

  • Manual workflows: backport.yml, benchmarks.yml, changelog.yml, check-links.yml, codeql-analysis.yml, contrib.yml, prepare-patch-release.yml, prepare-release-branch.yml, release.yml
  • Generated workflows: lint_0.yml, test_0.yml, misc_0.yml
  • Templates: All template files in .github/workflows/templates/

Security Impact

  • Workflows using custom tokens (OPENTELEMETRYBOT_GITHUB_TOKEN) only receive basic read permissions
  • Job-level permissions are added only where GITHUB_TOKEN is explicitly used
  • All write permissions include trailing comments explaining their necessity
  • Follows principle of least privilege while maintaining functionality

Verification

All 14 workflow files now pass OpenSSF Scorecard Token-Permissions requirements. The changes are minimal and surgical, maintaining existing functionality while improving security posture.

Fixes #20.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jul 12, 2025
Copilot AI requested a review from trask July 12, 2025 22:29
Copilot finished work on behalf of trask July 12, 2025 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

2 participants

@trask