Skip to content

Add top-level permissions to GitHub Actions workflows#72

Merged
rajbos merged 2 commits intomainfrom
copilot/fix-github-token-permissions
Dec 27, 2025
Merged

Add top-level permissions to GitHub Actions workflows#72
rajbos merged 2 commits intomainfrom
copilot/fix-github-token-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 27, 2025
edited
Loading

Code scanning flagged workflows missing explicit top-level permissions declarations, allowing default permissive GITHUB_TOKEN access.

Changes

  • ci.yml: Added permissions: contents: read (resolves primary alert)
  • release.yml: Added permissions: contents: read with job-level override to contents: write
  • sync-release-notes.yml: Added permissions: contents: read with job-level override to contents: write

Result

All workflows now explicitly declare minimum required permissions at the top level, following principle of least privilege. Jobs requiring elevated permissions override as needed at job scope.

permissions:
  contents: read

jobs:
  release:
    permissions: 
      contents: write
Original prompt

Handle this code scanning alert:

score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@rajbos
Add top-level permissions to workflow files for security best practices
2e5f079 
Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning alert for GitHub token permissions Add top-level permissions to GitHub Actions workflows Dec 27, 2025
Copilot AI requested a review from rajbos December 27, 2025 19:10
@rajbos rajbos marked this pull request as ready for review December 27, 2025 19:36
@rajbos rajbos enabled auto-merge December 27, 2025 19:36
@rajbos rajbos disabled auto-merge December 27, 2025 19:53
@rajbos rajbos merged commit 11212ef into main Dec 27, 2025
13 checks passed
@rajbos rajbos deleted the copilot/fix-github-token-permissions branch December 27, 2025 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rajbos rajbos rajbos approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rajbos rajbos

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rajbos