CI: add least-privilege permissions to GitHub Actions workflows#4164
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
📝 WalkthroughWalkthroughThis PR adds explicit top-level ChangesWorkflow Permissions Hardening
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Public Interface🚀 No changes affecting the public interface. |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/release-publish.yml (1)
6-7: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winMove
contents: writeto thereleasejob level.zizmor flags
contents: writeas overly broad at the workflow level. Themerge-main-to-developjob (line 32) usesADMIN_API_TOKENfor both checkout (line 39) andGITHUB_TOKEN(line 46), so it doesn't rely on the auto-generated token's permissions. Scopingcontents: writeto only thereleasejob reduces the attack surface.♻️ Proposed refactor
permissions: - contents: write + contents: read release: name: Publish new release runs-on: macos-15 + permissions: + contents: write steps:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-publish.yml around lines 6 - 7, Move the workflow-level contents: write permission into the release job in release-publish.yml so the global permissions block is no longer overly broad. Keep merge-main-to-develop relying on ADMIN_API_TOKEN and GITHUB_TOKEN as it already does, and scope the write access only to the release job by updating the permissions configuration around the release job definition.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cron-checks.yml:
- Around line 24-27: The workflow-level permissions block grants actions: write
unnecessarily; remove that permission from the cron-checks workflow since none
of the jobs or steps use the Actions API, and keep only the minimum needed
permissions such as contents: read. Update the permissions section in the
workflow file accordingly, leaving concurrency.cancel-in-progress unchanged
because it does not require Actions access.
In @.github/workflows/smoke-checks.yml:
- Around line 28-32: The workflow permissions are broader than needed for the
ci-guard usage. Update the permissions block in the smoke-checks workflow so the
token is scoped to what `.github/actions/ci-guard/action.yml` actually needs:
keep `actions: write`, change `pull-requests` to read-only, and remove the
unnecessary write-level PR scope since PR comment/create uses
`secrets.DANGER_GITHUB_API_TOKEN` instead.
In @.github/workflows/sonar.yml:
- Around line 15-17: The workflow permissions block is missing the Actions API
scope, so the artifact lookup/download steps in the sonar workflow can fail with
a 403. Update the permissions section to include actions: read alongside
contents: read, keeping the change within the workflow configuration so the
artifact-related steps can access the Actions API.
In @.github/workflows/update-copyright.yml:
- Around line 13-15: The update-copyright workflow is currently configured with
read-only repository permissions, which prevents the copyright bot from pushing
its generated commit and creating the branch/PR. Update the permissions block in
the update-copyright workflow to grant write access for repository contents, and
ensure the pr_create step can use a write-capable token so the scheduled job can
publish its changes.
---
Nitpick comments:
In @.github/workflows/release-publish.yml:
- Around line 6-7: Move the workflow-level contents: write permission into the
release job in release-publish.yml so the global permissions block is no longer
overly broad. Keep merge-main-to-develop relying on ADMIN_API_TOKEN and
GITHUB_TOKEN as it already does, and scope the write access only to the release
job by updating the permissions configuration around the release job definition.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e47c4733-90d1-42cd-a5a8-6c3aa8340aae
📒 Files selected for processing (12)
.github/workflows/backend-checks.yml.github/workflows/cron-checks.yml.github/workflows/record-snapshots.yml.github/workflows/release-merge.yml.github/workflows/release-publish.yml.github/workflows/release-start.yml.github/workflows/sdk-performance-metrics.yml.github/workflows/sdk-size-metrics.yml.github/workflows/smoke-checks.yml.github/workflows/sonar.yml.github/workflows/testflight.yml.github/workflows/update-copyright.yml
SDK Performance
|
SDK Size
|
|



Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan
Summary by CodeRabbit
contents: readandpull-requests/actionsread or write only where necessary).