Skip to content

workflows in .github/workflows/ declare no permissions: block, leaving GITHUB_TOKEN at the repository default #226

Description

@kreinba

All eleven workflow files under .github/workflows/actionlint.yml, bashate.yml, copyrights.yml, markdown-lint.yml, pdd.yml, rake.yml, reuse.yml, shellcheck.yml, typos.yml, xcop.yml, yamllint.yml — omit any permissions: declaration, at the workflow level and inside every job.

Without an explicit declaration the GITHUB_TOKEN issued to each job falls back to the repository default, which on legacy-default repositories is the full write set: contents: write, issues: write, pull-requests: write, and the rest. None of these workflows needs that. Every one of them checks out the tree and runs a third-party linter or formatter against the working copy; none calls git push, gh, or any write endpoint back to the repository. A compromised action version, or a mutable tag swapped under one of the @v6 / @master references already used here, would inherit that same write scope.

Fix: add permissions: contents: read at the top of each of the eleven workflow files. The rake workflow needs no more than contents: read either, since bundle exec rake does not write back to the repository.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions