CI: add least-privilege permissions to GitHub Actions workflows#122
CI: add least-privilege permissions to GitHub Actions workflows#122peter-matkovski wants to merge 6 commits into
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
ncipollo/release-action creates a GitHub Release and its git tag, which is a write to contents, so contents: read makes the release call return 403 Resource not accessible by integration. generateReleaseNotes: true also needs contents: write, not pull-requests. This won't surface on this PR's CI since the job only runs on merged release-* PRs.
| contents: read | |
| pull-requests: read | |
| contents: write |
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
The -reporter=github-pr-review reporter posts review comments via the GitHub PR Review API, which is a write. With pull-requests: read it cannot post and fails on that path (reviewdog's own sample workflow grants pull-requests: write for this reporter). It only fails when golangci-lint has something to report, so a lint-clean PR hides it.
| pull-requests: read | |
| pull-requests: write |
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
This workflow runs on schedule/dispatch with no PR context, and the Slack step uses SLACK_BOT_TOKEN, so pull-requests: write is never used. Granting an unused write scope is the anti-pattern this PR removes elsewhere; drop it.
| pull-requests: write |
Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan