ci: add least-privilege permissions to GitHub Actions workflows#9
Conversation
Restrict default GITHUB_TOKEN scope per workflow. Write scopes granted only where jobs dispatch/cancel workflows, publish packages, or label issues/PRs. Refs: APPSEC-164
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 672036c189
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…check release-delete callers must pass contents: write to apecloud-cd reusable workflows; recheck-cla needs pull-requests: write to post confirmation comments. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 911e81b222
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| GO_VERSION: "1.24" | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Grant contents write for release branch merge
When this push workflow runs for a releasing-* branch, the trigger-mode job executes .github/utils/merge_releasing_branch.sh, which ends with git push using the credentials persisted by the preceding default actions/checkout. This new workflow-level contents: read cap removes write access from github.token, so the merge push will be rejected; grant contents: write for that job/workflow or checkout with the PAT already configured in env.
Useful? React with 👍 / 👎.
| PROJECT_NUMBER: 2 | ||
|
|
||
| permissions: | ||
| issues: write |
There was a problem hiding this comment.
Keep contents read for milestone checkout
On every milestone close, move_issues runs actions/checkout@v4 before invoking the repo scripts, but this new workflow-level permissions map only grants issues: write; all omitted scopes, including contents, become unavailable to the default checkout token. Add contents: read here or pass a separate checkout token so the job can still reach the repository before moving issues.
Useful? React with 👍 / 👎.
| ISINTERACTION: '' | ||
|
|
||
| permissions: | ||
| pull-requests: write |
There was a problem hiding this comment.
Keep contents read for PR interaction checkout
For pull_request_target opened/edited events this job's first step is actions/checkout@v4, but the new permissions block grants only pull-requests: write and therefore removes contents: read from the default checkout token. Either add contents: read or remove/pass a token to the checkout step, otherwise the workflow can stop before it labels user-interaction PRs or requests reviewers.
Useful? React with 👍 / 👎.
| GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} | ||
|
|
||
| permissions: | ||
| issues: write |
There was a problem hiding this comment.
Keep contents read for release issue moves
When the release published path runs in this workflow, it reaches the conditional actions/checkout@v4 before calling .github/utils/issue_prerelease.sh; the newly added workflow-level permissions only grant issues: write, so the default checkout token no longer has contents: read. Add contents: read here or provide a checkout token so published releases can still move prerelease issues.
Useful? React with 👍 / 👎.
Summary
permissionsblocks for CodeQLactions/missing-workflow-permissionsalerts.actions: writewheregh workflow run/ cancel is used.Linear
Test plan