ci: declare workflow-level contents: read on 7 CI workflows#2672
ci: declare workflow-level contents: read on 7 CI workflows#2672arpitjain099 wants to merge 2 commits into
contents: read on 7 CI workflows#2672Conversation
All 7 workflows (checkDependencies, ci, codeql, doCleanCode, pr-checks, unit-tests, version-increments) just run checks and validation. No GitHub API writes from the workflows themselves at the workflow level. For workflows where individual jobs need a higher scope (e.g., codeql analyze typically needs security-events: write), job-level permissions can still override upward. This PR only adds the workflow-level cap. Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. yaml.safe_load validated on each touched file. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
d2e6468 to
59e3c2c
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions by declaring workflow-level permissions: contents: read on seven CI workflows to reduce default GITHUB_TOKEN scope, following post–CVE-2025-30066 mitigation guidance.
Changes:
- Add workflow-level
permissions: contents: readto multiple CI/reusable-workflow caller workflows. - Standardize least-privilege defaults across scheduled, PR, and
workflow_run-triggered workflows.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/version-increments.yml | Adds workflow-level contents: read permission. |
| .github/workflows/unit-tests.yml | Adds workflow-level contents: read permission. |
| .github/workflows/pr-checks.yml | Adds workflow-level contents: read permission. |
| .github/workflows/doCleanCode.yml | Adds workflow-level contents: read permission. |
| .github/workflows/codeql.yml | Adds workflow-level contents: read permission (requires additional scope for CodeQL reporting). |
| .github/workflows/ci.yml | Adds workflow-level contents: read permission. |
| .github/workflows/checkDependencies.yml | Adds workflow-level contents: read permission. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
|
|
codeql.yml, pr-checks.yml and unit-tests.yml only call reusable workflows. A caller's workflow-level permissions cap the GITHUB_TOKEN for the called workflow, which cannot request more than the caller grants. The contents: read block here was stripping scopes the callees need: - codeQLworkflow.yml needs security-events: write and actions: read to upload CodeQL results to Code Scanning (the issue @akurtakov asked to correct) - verifyFreezePeriod.yml needs issues: read - checkMergeCommits.yml needs pull-requests: read - publishTestResults.yml needs checks: write, pull-requests: write, issues: read and actions: read Revert the permissions block on these three reusable-only callers; each reusable workflow already declares its own least-privilege permissions. The contents: read additions on the remaining workflows in this PR are kept. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
|
Thanks for catching that, @akurtakov. You're right. I dropped codeql.yml from this change (along with pr-checks.yml and unit-tests.yml, which are also reusable-only callers). A workflow-level The remaining files here (checkDependencies, ci, doCleanCode, version-increments) are unaffected and still carry the workflow-level |
Adds workflow-level
permissions: contents: readto seven CI workflows that run pure checks or validation:The cap is at the workflow level only. Jobs that genuinely need a wider scope (e.g., the codeql analyze job typically needs
security-events: write) can still declare it at the job level.Same post-CVE-2025-30066 (
tj-actions/changed-filescompromise) hardening pattern. YAML validated locally withyaml.safe_loadon each touched file.