Skip to content

ci: add least-privilege permissions to GitHub Actions workflows#9

Merged
peter-matkovski merged 3 commits into
getstreamfrom
ci/workflow-least-privilege-permissions
Jul 6, 2026
Merged

ci: add least-privilege permissions to GitHub Actions workflows#9
peter-matkovski merged 3 commits into
getstreamfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

Copy link
Copy Markdown

Summary

  • Add explicit workflow-level permissions blocks for CodeQL actions/missing-workflow-permissions alerts.
  • Minimal scopes only; actions: write where gh workflow run / cancel is used.

Linear

Test plan

  • CI passes
  • Code scanning alerts close after merge

Peter Matkovski added 2 commits July 6, 2026 12:05
Restrict default GITHUB_TOKEN scope per workflow. Write scopes granted only
where jobs dispatch/cancel workflows, publish packages, or label issues/PRs.

Refs: APPSEC-164

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 672036c189

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread .github/workflows/cherry-pick-auto.yml Outdated
Comment thread .github/workflows/release-delete.yml Outdated
Comment thread .github/workflows/recheck-cla.yml Outdated
…check

release-delete callers must pass contents: write to apecloud-cd reusable
workflows; recheck-cla needs pull-requests: write to post confirmation comments.

Co-authored-by: Cursor <cursoragent@cursor.com>
@peter-matkovski peter-matkovski merged commit 6093265 into getstream Jul 6, 2026
3 checks passed
@peter-matkovski peter-matkovski deleted the ci/workflow-least-privilege-permissions branch July 6, 2026 11:04

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 911e81b222

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

GO_VERSION: "1.24"

permissions:
contents: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Grant contents write for release branch merge

When this push workflow runs for a releasing-* branch, the trigger-mode job executes .github/utils/merge_releasing_branch.sh, which ends with git push using the credentials persisted by the preceding default actions/checkout. This new workflow-level contents: read cap removes write access from github.token, so the merge push will be rejected; grant contents: write for that job/workflow or checkout with the PAT already configured in env.

Useful? React with 👍 / 👎.

PROJECT_NUMBER: 2

permissions:
issues: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep contents read for milestone checkout

On every milestone close, move_issues runs actions/checkout@v4 before invoking the repo scripts, but this new workflow-level permissions map only grants issues: write; all omitted scopes, including contents, become unavailable to the default checkout token. Add contents: read here or pass a separate checkout token so the job can still reach the repository before moving issues.

Useful? React with 👍 / 👎.

ISINTERACTION: ''

permissions:
pull-requests: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep contents read for PR interaction checkout

For pull_request_target opened/edited events this job's first step is actions/checkout@v4, but the new permissions block grants only pull-requests: write and therefore removes contents: read from the default checkout token. Either add contents: read or remove/pass a token to the checkout step, otherwise the workflow can stop before it labels user-interaction PRs or requests reviewers.

Useful? React with 👍 / 👎.

GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

permissions:
issues: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep contents read for release issue moves

When the release published path runs in this workflow, it reaches the conditional actions/checkout@v4 before calling .github/utils/issue_prerelease.sh; the newly added workflow-level permissions only grant issues: write, so the default checkout token no longer has contents: read. Add contents: read here or provide a checkout token so published releases can still move prerelease issues.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant