Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#122

Open
peter-matkovski wants to merge 6 commits into
mainfrom
ci/workflow-least-privilege-permissions
Open

CI: add least-privilege permissions to GitHub Actions workflows#122
peter-matkovski wants to merge 6 commits into
mainfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 6 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Active
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
@peter-matkovski peter-matkovski requested a review from a team July 9, 2026 09:37
@peter-matkovski peter-matkovski enabled auto-merge (squash) July 9, 2026 11:41
Comment on lines +10 to +11
contents: read
pull-requests: read

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ncipollo/release-action creates a GitHub Release and its git tag, which is a write to contents, so contents: read makes the release call return 403 Resource not accessible by integration. generateReleaseNotes: true also needs contents: write, not pull-requests. This won't surface on this PR's CI since the job only runs on merged release-* PRs.

Suggested change
contents: read
pull-requests: read
contents: write


permissions:
contents: read
pull-requests: read

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The -reporter=github-pr-review reporter posts review comments via the GitHub PR Review API, which is a write. With pull-requests: read it cannot post and fails on that path (reviewdog's own sample workflow grants pull-requests: write for this reporter). It only fails when golangci-lint has something to report, so a lint-clean PR hides it.

Suggested change
pull-requests: read
pull-requests: write


permissions:
contents: read
pull-requests: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow runs on schedule/dispatch with no PR context, and the Slack step uses SLACK_BOT_TOKEN, so pull-requests: write is never used. Granting an unused write scope is the anti-pattern this PR removes elsewhere; drop it.

Suggested change
pull-requests: write

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants