Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#270

Open
peter-matkovski wants to merge 1 commit into
mainfrom
chore/workflow-least-privilege-permissions
Open

CI: add least-privilege permissions to GitHub Actions workflows#270
peter-matkovski wants to merge 1 commit into
mainfrom
chore/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit least-privilege permissions blocks to 2 workflows.
  • Resolves 5 open CodeQL actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Made with Cursor

Summary by CodeRabbit

  • Chores
    • Tightened GitHub Actions permissions in CI and test workflows to use read-only access where possible.
    • Improved workflow security by explicitly limiting token access for repository contents and pull request data.

Refs: APPSEC-164
Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 06e08331-26ce-4fd9-ad37-d3080fb286eb

📥 Commits

Reviewing files that changed from the base of the PR and between f552d7e and 7c01a0e.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .github/workflows/run_tests.yml

📝 Walkthrough

Walkthrough

Explicit top-level permissions blocks were added to two GitHub Actions workflow files, restricting the default GITHUB_TOKEN scope to read-only access for contents (and pull requests in one file).

Changes

CI Workflow Permissions Hardening

Layer / File(s) Summary
Add explicit permissions blocks
.github/workflows/ci.yml, .github/workflows/run_tests.yml
Added top-level permissions settings restricting GITHUB_TOKEN to contents: read (and pull-requests: read in ci.yml), where previously no explicit permissions were declared.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding least-privilege permissions to GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/workflow-least-privilege-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant