Remove over-provisioned actions scope from GITHUB_TOKEN permissions

gcl-sekoia · gcl-sekoia · commit de8b0803fe8a · 2026-03-26T15:44:53.000+01:00
The `actions: write` (and `actions: read` in scorecard) permissions added in quickwit-oss#5946 are unnecessary: actions/cache and actions/upload-artifact authenticate via ACTIONS_RUNTIME_TOKEN, not GITHUB_TOKEN, and actions/download-artifact only uses GITHUB_TOKEN when its github-token input is explicitly set. Where removing `actions: write` left only `contents: read` (matching the workflow-level default), the redundant job-level permissions block is removed entirely. For the tests and lints jobs in ci.yml, `actions: write` is replaced with `pull-requests: read` which dorny/paths-filter actually needs to read PR file lists.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,7 +34,7 @@ jobs:
     timeout-minutes: 60
     permissions:
       contents: read
-      actions: write
+      pull-requests: read
     services:
       # PostgreSQL service container
       postgres:
@@ -120,7 +120,7 @@ jobs:
     timeout-minutes: 60
     permissions:
       contents: read
-      actions: write
+      pull-requests: read
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -192,9 +192,6 @@ jobs:
   thirdparty-license:
     name: Check Datadog third-party license file
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      actions: write
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Install Rust toolchain
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -31,9 +31,6 @@ jobs:
     name: Coverage
     runs-on: gh-ubuntu-arm64
     timeout-minutes: 40
-    permissions:
-      contents: read
-      actions: write
     # Setting a containing will require to fix the QW_S3_ENDPOINT to http://localstack:4566
     services:
       localstack:
diff --git a/.github/workflows/publish_docker_images.yml b/.github/workflows/publish_docker_images.yml
@@ -31,9 +31,6 @@ jobs:
             platform: linux/arm64
             platform_suffix: arm64
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
-      actions: write
     environment:
       name: production
     steps:
@@ -119,9 +116,6 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs: [docker]
-    permissions:
-      contents: read
-      actions: read
     environment: production
     steps:
       - name: Download digests
diff --git a/.github/workflows/publish_nightly_packages.yml b/.github/workflows/publish_nightly_packages.yml
@@ -14,7 +14,6 @@ jobs:
     runs-on: macos-latest
     permissions:
       contents: write
-      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -35,7 +34,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      actions: write
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/cross-build-binary
diff --git a/.github/workflows/publish_release_packages.yml b/.github/workflows/publish_release_packages.yml
@@ -14,7 +14,6 @@ jobs:
     runs-on: macos-latest
     permissions:
       contents: write
-      actions: write
     strategy:
       matrix:
         target: [x86_64-apple-darwin, aarch64-apple-darwin]
@@ -37,7 +36,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      actions: write
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Extract asset version
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -18,7 +18,6 @@ jobs:
       security-events: write
       # Needed to publish results
       id-token: write
-      actions: read
       contents: read
 
     steps:
diff --git a/.github/workflows/ui-ci.yml b/.github/workflows/ui-ci.yml
@@ -21,9 +21,6 @@ jobs:
   tests:
     name: ${{ matrix.task.name }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      actions: write
     strategy:
       fail-fast: false
       matrix:
