Skip to content

ci: restrict workflow token permissions#24

Merged
saagpatel merged 2 commits into
mainfrom
codex/ci/workflow-permissions
May 18, 2026
Merged

ci: restrict workflow token permissions#24
saagpatel merged 2 commits into
mainfrom
codex/ci/workflow-permissions

Conversation

@saagpatel
Copy link
Copy Markdown
Owner

@saagpatel saagpatel commented May 18, 2026

What

  • Adds explicit contents: read permissions to desktop-ci and quality-gates.

Why

  • CodeQL flagged both workflows for relying on broad default GITHUB_TOKEN permissions.

How

  • Uses a workflow-level permission block so checkout and read-only CI steps keep working with least privilege.

Testing

  • Commands run:
    • Not run locally (remote workflow-only change).
  • Results:
    • PR checks will validate the workflows on GitHub.

Performance impact

  • Bundle delta: None expected.
  • Build time delta: None expected.
  • Lighthouse delta: None expected.
  • API latency delta: None expected.
  • DB query delta: None expected.

Risk / Notes

  • Low risk; CI token permissions are read-only and no lockfiles changed.

Screenshots (UI only)

  • N/A

Lockfile rationale (if lockfile changed)

  • N/A

Baseline governance (if .perf-baselines changed)

  • perf-baseline-update label applied: N/A
  • Reviewer signoff: N/A
  • Rollback note: Revert this PR if a workflow unexpectedly needs broader token permissions.

@saagpatel saagpatel merged commit 2a79717 into main May 18, 2026
26 checks passed
@saagpatel saagpatel deleted the codex/ci/workflow-permissions branch May 18, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel