ci: declare workflow-level contents: read on 4 workflows#3838
ci: declare workflow-level contents: read on 4 workflows#3838arpitjain099 wants to merge 1 commit into
contents: read on 4 workflows#3838Conversation
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
Is it really necessary on jobs that just call other workflows?
Wouldn't it be sufficient to specify the permissions on the called workflows (which most but not all do).
Furthermore in this case, wouldn't this break some of the called workflows? IIRC it isn't possible to elevate the permissions?
|
Good catch @HannesWell, thanks. You're right on both counts: Force-pushed. Let me know if the reduced scope still makes sense, or if you'd rather close. |
arpitjain099
force-pushed
the
chore/declare-workflow-perms
branch
2 times, most recently
from
493c13a to
61273a5
Compare
Thanks for the update. Generally it totally makes sense to use only the minimal permissions. I'll have a look at it in detail probably not before the end of the week (we are currently in the final release phase, which is very busy). Besides this, I think there are a few more 'leave' workflows that don't have their permissions minimized. Could you check and update them too as appropriated? |
Per maintainer request on eclipse-platform#3838, extends least-privilege permissions to the remaining directly-triggered (leaf) workflows that lacked them: - htmlvalidator.yml: contents: read (read-only HTML validation on PRs) - pr-checks.yml: contents: read + issues: read (orchestrator; this is the minimal union its reusable workflows declare - checkVersions {}, verifyFreezePeriod issues: read, checkMergeCommits contents: read - so no write scope is needed) - licensecheck.yml: top-level contents: read default; the call-license-check job keeps its explicit pull-requests: write Left the reusable workflows (on: workflow_call) and the bot-PAT writer leaves (callUpdateTarget, version-increments) untouched, since their permissions intersect with caller grants and the maintainers are best placed to set those. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
force-pushed
the
chore/declare-workflow-perms
branch
from
61273a5 to
fb69314
Compare
|
Thanks, and no rush given the release phase. I went through the other leaf (directly-triggered) workflows and extended the PR to the ones that can be safely minimized:
I deliberately left two leaves alone: |
Per maintainer request on eclipse-platform#3838, extends least-privilege permissions to the remaining directly-triggered (leaf) workflows that lacked them: - htmlvalidator.yml: contents: read (read-only HTML validation on PRs) - pr-checks.yml: contents: read + issues: read (orchestrator; this is the minimal union its reusable workflows declare - checkVersions {}, verifyFreezePeriod issues: read, checkMergeCommits contents: read - so no write scope is needed) - licensecheck.yml: top-level contents: read default; the call-license-check job keeps its explicit pull-requests: write Left the reusable workflows (on: workflow_call) and the bot-PAT writer leaves (callUpdateTarget, version-increments) untouched, since their permissions intersect with caller grants and the maintainers are best placed to set those. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
akurtakov
force-pushed
the
chore/declare-workflow-perms
branch
from
fb69314 to
0db6b7c
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions workflows by explicitly declaring workflow-level permissions, aiming to follow a post–CVE hardening pattern and reduce default token privileges while keeping required checkout behavior working.
Changes:
- Adds a workflow-level
permissionsblock to explicitly setcontents: read(and related permissions) for updated workflows. - Updates
pr-checks.ymlto declare required permissions for its reusable-workflow jobs. - Updates
licensecheck.ymlto declare workflow-level permissions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/pr-checks.yml | Adds workflow-level permissions for PR checks (notably contents: read, plus additional scope). |
| .github/workflows/licensecheck.yml | Adds workflow-level contents: read permissions for the license check workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| issues: read | ||
|
|
||
| jobs: | ||
| check-freeze-period: | ||
| uses: ./.github/workflows/verifyFreezePeriod.yml |
| permissions: | ||
| contents: read | ||
|
|
| permissions: | ||
| contents: read | ||
| issues: read |
Adds workflow-level
permissions: contents: readto four workflows:callUpdateTarget,htmlvalidator,pr-checks,version-increments. None call the GitHub API beyond checkout.Same post-CVE-2025-30066 (
tj-actions/changed-files) hardening pattern. YAML validated locally.