Skip to content

Add minimum token permissions for all GitHub workflow files #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add minimum token permissions for all GitHub workflow files #17

wants to merge 2 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jul 12, 2025
edited
Loading

This PR adds minimum token permissions to all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations.

Changes Made

Root-Level Permissions Added

Added permissions: contents: read to 14 workflow files that were missing root-level permissions:

  • close-stale.yml
  • codeql-analysis.yml
  • component-owners.yml
  • label-prs.yml
  • lint.yml
  • peer-api.yaml
  • pr-title.yml
  • release-please-validate.yaml
  • release-please.yml
  • test-all-versions.pr.yml
  • test-all-versions.push.yml
  • test-all-versions.yml
  • unit-test.yml
  • update-otel-deps.yaml

Job-Level Permissions Added

Added appropriate job-level write permissions where needed:

  • close-stale.yml: Added issues: write and pull-requests: write for stale bot actions
  • codeql-analysis.yml: Added security-events: write for CodeQL analysis uploads
  • component-owners.yml: Added pull-requests: write for assigning reviewers
  • pr-title.yml: Added pull-requests: write for PR title validation comments
  • release-please.yml: Added contents: write and pull-requests: write for release actions

Existing Permissions Preserved

The following files already had proper root-level permissions and were left unchanged:

  • fossa.yml (already had permissions: contents: read)
  • ossf-scorecard.yml (already had permissions: read-all)

Verification

All 16 workflow files now pass OpenSSF Scorecard Token-Permissions check:

  • ✅ Every workflow has root-level permissions defined
  • ✅ Root-level permissions are limited to contents: read or read-all
  • ✅ Write permissions are properly scoped to job level where needed
  • ✅ All permissions include explanatory comments for write access requirements

Security Impact

This change significantly improves the repository's security posture by:

  • Implementing the principle of least privilege for workflow permissions
  • Reducing the attack surface by limiting default token permissions
  • Meeting OpenSSF Scorecard security requirements for token permissions

Fixes #16.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI assigned Copilot and trask Jul 12, 2025
@Copilot Copilot AI changed the title [WIP] Add minimum token permissions for all github workflow files Add minimum token permissions for all GitHub workflow files Jul 12, 2025
@Copilot Copilot AI requested a review from trask July 12, 2025 21:51
Copilot finished work on behalf of trask July 12, 2025 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add minimum token permissions for all github workflow files
2 participants
@Copilot @trask