DESCRIPTION:
Only .github/workflows/zerocracy.yml declares a top-level permissions: block. The other 17 workflows inherit repo-wide default, which is typically read-all for public repos but project-policy-dependent. Best practice is to declare permissions: {} (least-privilege) at workflow or job level.
REPRODUCTION:
- Inspect any workflow.
- No permissions: block.
IMPACT:
Principle of least privilege violated; blast radius of compromised action = full workflow token scope.
RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint}.yml
DESCRIPTION:
Only .github/workflows/zerocracy.yml declares a top-level permissions: block. The other 17 workflows inherit repo-wide default, which is typically read-all for public repos but project-policy-dependent. Best practice is to declare permissions: {} (least-privilege) at workflow or job level.
REPRODUCTION:
IMPACT:
Principle of least privilege violated; blast radius of compromised action = full workflow token scope.
RELATED FILES:
.github/workflows/{bashate,actionlint,checkmake,copyrights,hadolint,make,markdown-lint,pdd,rake,reuse,shellcheck,titles,typos,up,xcop,yamllint}.yml