Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#4164

Merged
testableapple merged 19 commits into
developfrom
ci/workflow-least-privilege-permissions
Jul 9, 2026
Merged

CI: add least-privilege permissions to GitHub Actions workflows#4164
testableapple merged 19 commits into
developfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 28 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Summary by CodeRabbit

  • Chores
    • Updated multiple automation workflows to declare explicit GitHub Actions permission scopes.
    • Applied least-privilege access across workflows (typically contents: read and pull-requests/actions read or write only where necessary).
    • No changes to workflow triggers, jobs, or execution logic—only token permission scopes were tightened.

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@peter-matkovski peter-matkovski requested a review from a team as a code owner July 8, 2026 11:24
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds explicit top-level permissions blocks to twelve GitHub Actions workflow files, scoping each workflow's token access instead of relying on default permissions. No job logic, steps, or triggers were changed.

Changes

Workflow Permissions Hardening

Layer / File(s) Summary
CI/build/testing workflow permissions
.github/workflows/backend-checks.yml, .github/workflows/cron-checks.yml, .github/workflows/record-snapshots.yml, .github/workflows/smoke-checks.yml, .github/workflows/sonar.yml, .github/workflows/sdk-performance-metrics.yml, .github/workflows/sdk-size-metrics.yml
Each workflow gains an explicit permissions block scoping token access with actions, contents, and/or pull-requests read/write settings.
Release and publishing workflow permissions
.github/workflows/release-merge.yml, .github/workflows/release-publish.yml, .github/workflows/release-start.yml, .github/workflows/testflight.yml, .github/workflows/update-copyright.yml
Each workflow gains an explicit permissions block scoping token access for release and publishing automation jobs.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding least-privilege permissions to GitHub Actions workflows.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-least-privilege-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Public Interface

🚀 No changes affecting the public interface.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.github/workflows/release-publish.yml (1)

6-7: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Move contents: write to the release job level.

zizmor flags contents: write as overly broad at the workflow level. The merge-main-to-develop job (line 32) uses ADMIN_API_TOKEN for both checkout (line 39) and GITHUB_TOKEN (line 46), so it doesn't rely on the auto-generated token's permissions. Scoping contents: write to only the release job reduces the attack surface.

♻️ Proposed refactor
 permissions:
-  contents: write
+  contents: read

   release:
     name: Publish new release
     runs-on: macos-15
+    permissions:
+      contents: write
     steps:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-publish.yml around lines 6 - 7, Move the
workflow-level contents: write permission into the release job in
release-publish.yml so the global permissions block is no longer overly broad.
Keep merge-main-to-develop relying on ADMIN_API_TOKEN and GITHUB_TOKEN as it
already does, and scope the write access only to the release job by updating the
permissions configuration around the release job definition.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cron-checks.yml:
- Around line 24-27: The workflow-level permissions block grants actions: write
unnecessarily; remove that permission from the cron-checks workflow since none
of the jobs or steps use the Actions API, and keep only the minimum needed
permissions such as contents: read. Update the permissions section in the
workflow file accordingly, leaving concurrency.cancel-in-progress unchanged
because it does not require Actions access.

In @.github/workflows/smoke-checks.yml:
- Around line 28-32: The workflow permissions are broader than needed for the
ci-guard usage. Update the permissions block in the smoke-checks workflow so the
token is scoped to what `.github/actions/ci-guard/action.yml` actually needs:
keep `actions: write`, change `pull-requests` to read-only, and remove the
unnecessary write-level PR scope since PR comment/create uses
`secrets.DANGER_GITHUB_API_TOKEN` instead.

In @.github/workflows/sonar.yml:
- Around line 15-17: The workflow permissions block is missing the Actions API
scope, so the artifact lookup/download steps in the sonar workflow can fail with
a 403. Update the permissions section to include actions: read alongside
contents: read, keeping the change within the workflow configuration so the
artifact-related steps can access the Actions API.

In @.github/workflows/update-copyright.yml:
- Around line 13-15: The update-copyright workflow is currently configured with
read-only repository permissions, which prevents the copyright bot from pushing
its generated commit and creating the branch/PR. Update the permissions block in
the update-copyright workflow to grant write access for repository contents, and
ensure the pr_create step can use a write-capable token so the scheduled job can
publish its changes.

---

Nitpick comments:
In @.github/workflows/release-publish.yml:
- Around line 6-7: Move the workflow-level contents: write permission into the
release job in release-publish.yml so the global permissions block is no longer
overly broad. Keep merge-main-to-develop relying on ADMIN_API_TOKEN and
GITHUB_TOKEN as it already does, and scope the write access only to the release
job by updating the permissions configuration around the release job definition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e47c4733-90d1-42cd-a5a8-6c3aa8340aae

📥 Commits

Reviewing files that changed from the base of the PR and between 079bf27 and f808d63.

📒 Files selected for processing (12)
  • .github/workflows/backend-checks.yml
  • .github/workflows/cron-checks.yml
  • .github/workflows/record-snapshots.yml
  • .github/workflows/release-merge.yml
  • .github/workflows/release-publish.yml
  • .github/workflows/release-start.yml
  • .github/workflows/sdk-performance-metrics.yml
  • .github/workflows/sdk-size-metrics.yml
  • .github/workflows/smoke-checks.yml
  • .github/workflows/sonar.yml
  • .github/workflows/testflight.yml
  • .github/workflows/update-copyright.yml

Comment thread .github/workflows/cron-checks.yml
Comment thread .github/workflows/smoke-checks.yml
Comment thread .github/workflows/sonar.yml
Comment thread .github/workflows/update-copyright.yml
@Stream-SDK-Bot

Copy link
Copy Markdown
Collaborator

SDK Performance

target metric benchmark branch performance status
MessageList Hitches total duration 10 ms 3.34 ms 66.6% 🔼 🟢
Duration 2.6 s 2.53 s 2.69% 🔼 🟢
Hitch time ratio 4 ms per s 1.31 ms per s 67.25% 🔼 🟢
Frame rate 75 fps 79.44 fps 5.92% 🔼 🟢
Number of hitches 1 0.4 60.0% 🔼 🟢

@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
@testableapple testableapple enabled auto-merge (squash) July 9, 2026 11:37
@testableapple testableapple disabled auto-merge July 9, 2026 12:04
@testableapple testableapple enabled auto-merge (squash) July 9, 2026 12:51
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
4 Errors
🚫 Please start subject with capital letter.
ee8486a
🚫 Please start subject with capital letter.
bf0a02b
🚫 Please start subject with capital letter.
6568162
🚫 Please start subject with capital letter.
a44ec10

Generated by 🚫 Danger

@Stream-SDK-Bot

Copy link
Copy Markdown
Collaborator

SDK Size

title develop branch diff status
StreamChat 7.53 MB 7.53 MB 0 KB 🟢
StreamChatUI 4.27 MB 4.27 MB 0 KB 🟢
StreamChatCommonUI 0.84 MB 0.84 MB 0 KB 🟢

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@testableapple testableapple disabled auto-merge July 9, 2026 16:15
@testableapple testableapple merged commit 712984a into develop Jul 9, 2026
17 of 18 checks passed
@testableapple testableapple deleted the ci/workflow-least-privilege-permissions branch July 9, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants