Skip to content

Add minimum token permissions for all GitHub workflow files #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add minimum token permissions for all GitHub workflow files #46

wants to merge 3 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Aug 18, 2025
edited
Loading

This PR adds minimum token permissions to all 29 GitHub workflow files to improve the repository's security posture according to OpenSSF Scorecard recommendations.

Changes Made

Added root-level permissions: contents: read blocks to 26 workflow files that were missing them. The remaining 3 files (fossa.yml, nightly-release.yaml, and ossf-scorecard.yml) already had proper root-level permissions defined.

Implementation Details

  • Consistent formatting: All permissions blocks follow the existing code style with proper blank line spacing
  • Strategic placement: Permissions blocks are inserted immediately after the on: trigger block
  • Minimal changes: Only 2-3 lines added per file, no existing code modified or deleted
  • Job-level permissions preserved: Existing job-specific permissions (like in update-version.yaml) remain unchanged

Security Impact

This addresses the Token-Permissions check from the OpenSSF Scorecard by ensuring every workflow has explicitly defined permissions at the root level. Previously, workflows inherited default permissions which could be overly permissive.

The contents: read permission provides the minimum access needed for most CI/CD operations like checking out code and reading repository contents, while jobs that need additional permissions (like creating releases or updating PRs) retain their existing job-level permission declarations.

Verification

All 29 workflow files now pass permissions compliance checks with zero errors or warnings.

Fixes #45.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot AI assigned Copilot and trask Aug 18, 2025
@Copilot
Copy link
Author

Copilot AI commented Aug 18, 2025

@trask 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot AI and others added 2 commits August 18, 2025 20:59
@Copilot @trask
Add root-level permissions to first batch of workflow files
6b0ab7a 
Co-authored-by: trask <218610+trask@users.noreply.github.com>
@Copilot @trask
Complete: Add root-level permissions to all remaining workflow files
a13c811 
Co-authored-by: trask <218610+trask@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Aug 18, 2025
@Copilot Copilot AI requested a review from trask August 18, 2025 21:06
Copilot finished work on behalf of trask August 18, 2025 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@trask trask trask approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files

2 participants

@Copilot @trask