Skip to content

Add minimum token permissions for all GitHub workflow files #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add minimum token permissions for all GitHub workflow files #4

wants to merge 1 commit into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jun 29, 2025
edited
Loading

This PR addresses the OSSF Scorecard requirement for minimum token permissions in GitHub workflows.

Analysis Results

After thorough analysis of all 18 GitHub workflow files in .github/workflows/, I found that all workflows already have the correct minimum token permissions configured. No changes were required.

Current State - All Requirements Met ✅

Top-level permissions correctly configured:

Files with permissions: contents: read (minimal default):

  • ci-collector.yml, ci-nodejs.yml, ci-python.yml, ci-shellcheck.yml, ci-terraform.yml, codeql.yml, fossa.yml, publish-layer-collector.yml

Files with specific permissions for their function:

  • ci-java.yml: permissions: pull-requests: write (for PR comments)
  • close-stale.yaml: permissions: issues: write, pull-requests: write (for stale issue management)
  • layer-publish.yml + all release-layer-*.yml: permissions: id-token: write, contents: read (for AWS OIDC authentication)

Files with permissions: read-all (preserved as instructed):

  • ossf-scorecard.yml, check-links.yaml (keeping existing read-all as per requirements)

Job-specific permissions correctly configured:

  • codeql.yml: analyze job has security-events: write for SARIF upload
  • ossf-scorecard.yml: analysis job has security-events: write, id-token: write
  • All release workflows: create-release and build-layer jobs have contents: write for GitHub releases

OSSF Scorecard Compliance ✅

All requirements from the OSSF Scorecard Token Permissions check are satisfied:

  • ✅ Every workflow has top-level permissions: block
  • ✅ Uses permissions: contents: read instead of permissions: read-all (except where already using read-all)
  • ✅ Job-specific permissions declared where elevated permissions needed
  • ✅ No contents: read in job-specific blocks (repos are public)
  • ✅ Follows principle of least privilege

Result: No code changes required - the repository already fully complies with minimum token permissions best practices.

Fixes #3.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI assigned Copilot and trask Jun 29, 2025
@Copilot Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jun 29, 2025
@Copilot Copilot AI requested a review from trask June 29, 2025 23:03
Copilot finished work on behalf of trask June 29, 2025 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files
3 participants
@Copilot @trask @opentelemetrybot