Skip to content

Restrict workflow token permissions to minimal required access #4679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vicentebolea merged 2 commits into from
Oct 23, 2025
Merged

Restrict workflow token permissions to minimal required access #4679

vicentebolea merged 2 commits into from
Oct 23, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 21, 2025
edited
Loading

  • Analyze each workflow file to understand what permissions are needed
  • Set minimal permissions for everything.yml workflow
    • Add top-level read-only permissions
    • Add job-level write permissions where needed (caching, artifacts, etc.)
    • Remove redundant job-level read permissions (inherited from global)
  • Fix external.yml workflow to use minimal permissions instead of write-all
  • Add permissions to pypackaging.yml workflow jobs that are missing them
  • Add permissions to stale.yml workflow for issue/PR management
  • Validate all changes follow the principle of least privilege

Summary of Changes:

All workflows now have explicit, minimal permissions set:

everything.yml: Added contents: read at top-level. Jobs that only need read access inherit from global setting. Jobs that need write permissions (cache save, upload artifacts) have explicit job-level permissions with both contents: read and the required write permission.

external.yml: Replaced overly permissive write-all with contents: read and statuses: write (minimal permissions needed for CDash status updates).

pypackaging.yml: Added explicit permissions to all jobs - contents: read and actions: write for jobs that upload artifacts, actions: read for jobs that download artifacts.

stale.yml: Added contents: read, issues: write, and pull-requests: write permissions for stale issue/PR management.

All changes follow the principle of least privilege, granting only the permissions each job specifically needs.

Original prompt

This section details on the original issue you should resolve

<issue_title>Restrict workflow token permissions</issue_title>
<issue_description>GitHub Actions workflows are using tokens with excessive permissions. Should explicitly set minimal permissions using the permissions: key in each workflow.

Most workflows should be read-only unless they specifically need write access.

Reference: https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions</issue_description>

Comments on the Issue (you are @copilot in this section)

@vicentebolea Scorecard detailed results for Token-Permissions (0/10): 
Debug: no jobLevel permission defined: .github/workflows/everything.yml:49
Debug: no jobLevel permission defined: .github/workflows/everything.yml:74
Debug: no jobLevel permission defined: .github/workflows/everything.yml:209
Debug: no jobLevel permission defined: .github/workflows/everything.yml:273
Debug: no jobLevel permission defined: .github/workflows/everything.yml:412
Debug: no jobLevel permission defined: .github/workflows/everything.yml:477
Debug: no jobLevel permission defined: .github/workflows/everything.yml:111
Debug: no jobLevel permission defined: .github/workflows/everything.yml:349
Info: jobLevel 'actions' permission set to 'read': .github/workflows/everything.yml:546
Info: jobLevel 'contents' permission set to 'read': .github/workflows/everything.yml:547
Debug: no jobLevel permission defined: .github/workflows/everything.yml:621
Debug: no jobLevel permission defined: .github/workflows/external.yml:9
Debug: no jobLevel permission defined: .github/workflows/pypackaging.yml:32
Debug: no jobLevel permission defined: .github/workflows/pypackaging.yml:51
Debug: no jobLevel permission defined: .github/workflows/stale.yml:8
Warn: no topLevel permission defined: .github/workflows/everything.yml:1
Warn: topLevel permissions set to 'write-all': .github/workflows/external.yml:6

Multiple jobs missing explicit permission definitions. The external.yml workflow has write-all permissions which is overly permissive. Most workflows should explicitly set read-only permissions and only grant write where necessary.</comment_new>

Fixes #4673

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Restrict workflow token permissions in GitHub Actions Restrict workflow token permissions to minimal required access Oct 21, 2025
Copilot AI requested a review from vicentebolea October 21, 2025 22:58
@vicentebolea vicentebolea force-pushed the copilot/restrict-workflow-token-permissions branch from 98e0a9f to 434361a Compare October 22, 2025 23:22
@vicentebolea vicentebolea marked this pull request as ready for review October 23, 2025 00:47
@vicentebolea
Copy link
Collaborator

vicentebolea commented Oct 23, 2025

@copilot in everything.yaml remove explicit mentions of read perms since they are already globaly set as read.

Copy link
Contributor Author

Copilot AI commented Oct 23, 2025

@copilot in everything.yaml remove explicit mentions of read perms since they are already globaly set as read.

Removed redundant contents: read from job-level permissions blocks. Jobs that only need read access now inherit from the global permissions setting. Jobs that need write permissions still explicitly declare both contents: read and their write permissions since job-level permissions override global settings. (fbdbed9)

@vicentebolea vicentebolea merged commit 405e464 into master Oct 23, 2025
40 checks passed
@vicentebolea vicentebolea deleted the copilot/restrict-workflow-token-permissions branch October 23, 2025 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@vicentebolea vicentebolea vicentebolea approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vicentebolea vicentebolea

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Restrict workflow token permissions

2 participants

@vicentebolea