Update workflow permissions to empty object for consistency#720
Merged
Conversation
frasermolyneux
temporarily deployed
to
Development
GitHub Actions
Inactive
There was a problem hiding this comment.
Pull request overview
This PR tightens GitHub Actions security by removing broad default workflow permissions and requiring each job to explicitly request only the permissions it needs, alongside a small automation tweak and README badge update.
Changes:
- Replaced workflow-level
permissions: read-allwithpermissions: {}across workflows, relying on job-level permission grants. - Updated the Dependabot auto-merge workflow to use squash merges (
gh pr merge --auto --squash). - Removed the DevOps Secure Scanning badge from
README.md.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Removes the DevOps Secure Scanning badge from the workflows section. |
| .github/workflows/build-and-test.yml | Switches workflow default permissions to {} while keeping job-scoped permissions. |
| .github/workflows/codequality.yml | Switches workflow default permissions to {} and adds id-token: write for secure scanning job. |
| .github/workflows/copilot-setup-steps.yml | Switches workflow default permissions to {} for least-privilege baseline. |
| .github/workflows/dependabot-automerge.yml | Switches workflow default permissions to {} and changes Dependabot merge strategy to squash. |
| .github/workflows/deploy-dev.yml | Switches workflow default permissions to {} while retaining job-scoped permissions for OIDC and repo access. |
| .github/workflows/deploy-prd.yml | Switches workflow default permissions to {} while retaining job-scoped permissions for OIDC and repo access. |
| .github/workflows/destroy-development.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/destroy-environment.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/integration-tests.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/pr-verify.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/release-publish-nuget.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/release-version-and-tag.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
| .github/workflows/update-dashboard-from-staging.yml | Switches workflow default permissions to {} while retaining job-scoped permissions. |
frasermolyneux
temporarily deployed
to
Development
GitHub Actions
Inactive
|
This was referenced Feb 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request makes several improvements to the project's GitHub Actions workflows, primarily by tightening permissions and updating automation behavior. The main focus is on enhancing security by removing the broad
read-allpermission from all workflows and replacing it with more restrictive or explicit permissions. Additionally, there are minor updates to workflow steps and documentation.Workflow permissions and security improvements:
Replaced the global
permissions: read-allsetting withpermissions: {}in all workflow files, reducing the default permissions granted to GitHub Actions and following the principle of least privilege. (.github/workflows/build-and-test.yml [1] .github/workflows/codequality.yml [2] .github/workflows/copilot-setup-steps.yml [3] .github/workflows/dependabot-automerge.yml [4] .github/workflows/deploy-dev.yml [5] .github/workflows/deploy-prd.yml [6] .github/workflows/destroy-development.yml [7] .github/workflows/destroy-environment.yml [8] .github/workflows/integration-tests.yml [9] .github/workflows/pr-verify.yml [10] .github/workflows/release-publish-nuget.yml [11] .github/workflows/release-version-and-tag.yml [12] .github/workflows/update-dashboard-from-staging.yml [13]In
.github/workflows/codequality.yml, explicitly grantedid-token: writepermission to thedevops-secure-scanningjob, which is required for secure scanning workflows.Workflow automation and behavior changes:
--squashmerge strategy instead of--merge, ensuring merged PRs are squashed into a single commit. (.github/workflows/dependabot-automerge.yml .github/workflows/dependabot-automerge.ymlL25-R28)Documentation updates:
README.mdto reflect workflow or visibility changes. (README.md README.mdL5)