From a5f8adce23f477007faae512e31725a189797a94 Mon Sep 17 00:00:00 2001 From: Vibhav Bobade Date: Fri, 27 Mar 2026 18:23:11 +0530 Subject: [PATCH] fix(ci): add least-privilege permissions to workflow files Add top-level permissions blocks following the two-tier permission pattern recommended by OpenSSF Scorecard: - stale.yml: add `permissions: {}` at workflow level (job already has issues: write + pull-requests: write) - build_external_container_images.yaml: move `packages: write` from workflow level to job level; set workflow level to `permissions: read-all` scm_configuration_check.yaml already had `permissions: read-all` at workflow level so no change was needed. Fixes chainloop-dev/chainloop#2841 Signed-off-by: Vibhav Bobade --- .github/workflows/build_external_container_images.yaml | 4 +++- .github/workflows/codeql.yml | 1 - .github/workflows/stale.yml | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_external_container_images.yaml b/.github/workflows/build_external_container_images.yaml index 7876dbfcb..8c90f59bf 100644 --- a/.github/workflows/build_external_container_images.yaml +++ b/.github/workflows/build_external_container_images.yaml @@ -5,12 +5,14 @@ on: permissions: contents: read - packages: write jobs: build_and_push_images: name: Build and Push ${{ matrix.image.name }} Image runs-on: ubuntu-latest + permissions: + contents: read + packages: write strategy: matrix: image: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 56950d13f..fec86ea7c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,7 +11,6 @@ on: permissions: contents: read - id-token: write # required for SLSA attestation jobs: analyze: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b28cd78ff..3e1b962a0 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,6 +5,10 @@ on: - cron: '30 1 * * *' workflow_dispatch: +# Job-level permissions completely replace workflow-level defaults, so the +# token only receives the job's issues: write + pull-requests: write grants. +permissions: {} + jobs: close-issues: runs-on: ubuntu-latest