chore(security): add top-level permissions to 5 reusable workflows (#790)

anandray · web-flow · commit 13771efcdce4 · 2026-05-07T17:45:16.000-07:00
Adds `permissions: contents: read` (least-privilege default) to the top of five workflow files that had no top-level permissions declaration: - .github/workflows/_build.yaml (Scorecard #513) - .github/workflows/_docker.yaml (Scorecard #514) - .github/workflows/_init.yaml (Scorecard #515) - .github/workflows/_release.yaml (Scorecard #516) - .github/workflows/sync-models.yml (Scorecard #605) Existing job-level `permissions:` blocks within these files are unaffected; the top-level acts as a default ceiling that individual jobs can raise where they actually need write access (Docker push, release tag push, etc.). Stage 1 of 3 in cleaning up TokenPermissionsID findings: Stage 1 (this PR): no top-level permissions -> 5 alerts Stage 2 (separate): broad top-level writes -> 3 alerts Stage 3 (separate): job-level writes for -> 7 alerts legitimate release ops SOC2 CC7.1 vulnerability management — mechanical batch resolution following SECURITY.md disposition framework (Fix). Fixes #789 Co-authored-by: Anand Ray <anand.ray@rocketride.ai>
diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
@@ -1,5 +1,11 @@
 name: Build
 
+# Default least-privilege permissions for the workflow. Individual jobs
+# below raise to write where they actually need it (Docker push, SARIF
+# upload, etc.). Closes Scorecard TokenPermissionsID #513.
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_docker.yaml b/.github/workflows/_docker.yaml
@@ -1,5 +1,11 @@
 name: Docker
 
+# Default least-privilege permissions for the workflow. Individual jobs
+# below raise to write where they actually need it (image push to GHCR).
+# Closes Scorecard TokenPermissionsID #514.
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_init.yaml b/.github/workflows/_init.yaml
@@ -1,5 +1,11 @@
 name: Initialize
 
+# Default least-privilege permissions for the workflow. The init job
+# only reads the repo to compute version/build variables; no writes
+# needed. Closes Scorecard TokenPermissionsID #515.
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_release.yaml b/.github/workflows/_release.yaml
@@ -1,5 +1,12 @@
 name: Release
 
+# Default least-privilege permissions for the workflow. Individual
+# release jobs below raise to write where they actually need it
+# (tag pushes, GitHub releases, package publishing).
+# Closes Scorecard TokenPermissionsID #516.
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/sync-models.yml b/.github/workflows/sync-models.yml
@@ -1,5 +1,12 @@
 name: Sync LLM Models
 
+# Default least-privilege permissions for the workflow. The `sync`
+# job below raises to contents:write + pull-requests:write to commit
+# updated model manifests and open the PR. Closes Scorecard
+# TokenPermissionsID #605.
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 5 * * 1' # Mondays 05:00 UTC
