Skip to content

Commit 96bcd23

Browse files
committed
fix(ci): add least-privilege permissions to workflow files
Add top-level permissions blocks following the two-tier permission pattern recommended by OpenSSF Scorecard: - stale.yml: add `permissions: {}` at workflow level (job already has issues: write + pull-requests: write) - build_external_container_images.yaml: move `packages: write` from workflow level to job level; set workflow level to `permissions: read-all` scm_configuration_check.yaml already had `permissions: read-all` at workflow level so no change was needed. Fixes #2841 Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
1 parent 84e5e54 commit 96bcd23

3 files changed

Lines changed: 7 additions & 2 deletions

File tree

.github/workflows/build_external_container_images.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,14 @@ on:
55

66
permissions:
77
contents: read
8-
packages: write
98

109
jobs:
1110
build_and_push_images:
1211
name: Build and Push ${{ matrix.image.name }} Image
1312
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
15+
packages: write
1416
strategy:
1517
matrix:
1618
image:

.github/workflows/codeql.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ on:
1111

1212
permissions:
1313
contents: read
14-
id-token: write # required for SLSA attestation
1514

1615
jobs:
1716
analyze:

.github/workflows/stale.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
- cron: '30 1 * * *'
66
workflow_dispatch:
77

8+
# Job-level permissions completely replace workflow-level defaults, so the
9+
# token only receives the job's issues: write + pull-requests: write grants.
10+
permissions: {}
11+
812
jobs:
913
close-issues:
1014
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)