Skip to content

ci: set least-privilege GITHUB_TOKEN permissions#1041

Open
Alb3e3 wants to merge 1 commit into
DaveGamble:masterfrom
Alb3e3:harden-ci-permissions
Open

ci: set least-privilege GITHUB_TOKEN permissions#1041
Alb3e3 wants to merge 1 commit into
DaveGamble:masterfrom
Alb3e3:harden-ci-permissions

Conversation

@Alb3e3

@Alb3e3 Alb3e3 commented Jun 27, 2026

Copy link
Copy Markdown

What

Adds a workflow-level permissions: { contents: read } block to the affected workflow(s).

Why

Without an explicit permissions: block, these workflows run with the broad default GITHUB_TOKEN scopes. The affected workflows only build, test, and/or fuzz the project — no job writes to the repository, releases, packages, or any other GitHub resource. Restricting the token to contents: read follows the principle of least privilege and limits the blast radius if any build/test/fuzz step (or a dependency it pulls in) were compromised. This matches GitHub-recommended and OpenSSF Scorecard "Token-Permissions" hardening guidance.

Scope

  • Additive only: one top-level permissions block per affected workflow.
  • No change to triggers, jobs, steps, or action versions.
  • YAML validated; git diff --check clean.

Disclosure: I used AI assistance while preparing this change. The diff is small and I have reviewed it for correctness.

Add a workflow-level `permissions: { contents: read }` block. The
affected workflow(s) only build, test, and/or fuzz the project; no job
writes to the repository or other GitHub resources, so read-only is the
correct least-privilege scope for the default GITHUB_TOKEN.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant