Skip to content

17 of 18 workflows lack top-level permissions: block (least-privilege violated) #1695

Description

@sdghsdkjlas27-dotcom

DESCRIPTION:
Only .github/workflows/zerocracy.yml declares a top-level permissions: block. The other 17 workflows inherit repo-wide default, which is typically read-all for public repos but project-policy-dependent. Best practice is to declare permissions: {} (least-privilege) at workflow or job level.

REPRODUCTION:

  1. Inspect any workflow.
  2. No permissions: block.

IMPACT:
Principle of least privilege violated; blast radius of compromised action = full workflow token scope.

RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint}.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions