ci: declare least-privilege permissions on the remaining 11 workflows#8505
Open
arpitjain099 wants to merge 1 commit into
Open
ci: declare least-privilege permissions on the remaining 11 workflows#8505arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
Most of these workflows just run lint/test/validate steps on pull
requests, so contents: read is sufficient and matches the top-level
style already used in golangci-lint.yml, hotfix-generate.yml, and
tidy.yaml.
Special cases:
- auto-update.yml uses tibdex/auto-update with GITHUB_TOKEN to refresh
PR branches against main, so it needs contents: write +
pull-requests: read.
- generate-kubelet-flags.yaml does a manual push + PR via
secrets.PERSONAL_ACCESS_TOKEN, not the default GITHUB_TOKEN, so
contents: read is enough for the default token. A comment was added
explaining the chosen scope.
- validate-pull-request-source.yml has no checkout and makes no API
calls; permissions: {} (deny all) covers it.
YAML validated locally with yaml.safe_load for each edited file.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR completes the repository’s move to explicit least-privilege GITHUB_TOKEN scopes by adding top-level permissions: blocks to the remaining GitHub Actions workflows that previously relied on default token permissions.
Changes:
- Added
permissions: contents: readto workflows that only need to check out the repo and run lint/vet/test/validation jobs. - Set
permissions: {}onvalidate-pull-request-source.ymlsince it only readspull_requestevent metadata and does not use the token. - Granted
auto-update.ymlthe minimal write scope it needs (contents: write) pluspull-requests: read; documented thatgenerate-kubelet-flags.yamluses a PAT for push/PR creation soGITHUB_TOKENcan remain read-only.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-windows-ut.yml | Adds contents: read permissions for a checkout + Windows Pester tests workflow. |
| .github/workflows/validate-windows-binary-signature.yaml | Adds contents: read permissions for Windows file/signature checks that require checkout only. |
| .github/workflows/validate-pull-request-source.yml | Denies all token permissions ({}) since it only inspects PR event metadata (no checkout/API). |
| .github/workflows/validate-image-version.yml | Adds contents: read permissions for a checkout + make-based validation workflow. |
| .github/workflows/validate-components.yml | Adds contents: read permissions for schema validation and Go-based consistency/compatibility checks. |
| .github/workflows/shellspec.yaml | Adds contents: read permissions for checkout + ShellSpec unit tests. |
| .github/workflows/shellcheck.yml | Adds contents: read permissions for checkout + ShellCheck linting. |
| .github/workflows/no-sudo-check.yml | Adds contents: read permissions for checkout + grep-based validation. |
| .github/workflows/go-test.yml | Adds contents: read permissions for checkout + Go unit tests. |
| .github/workflows/generate-kubelet-flags.yaml | Sets contents: read and documents that push/PR creation uses a PAT (not GITHUB_TOKEN). |
| .github/workflows/auto-update.yml | Grants contents: write and pull-requests: read for the auto-update action to update PR branches. |
arpitjain099
force-pushed
the
ci/add-permissions
branch
from
2d83de0 to
aa1bb16
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This repo already has explicit
permissions:blocks on the major workflows (codeql-analysis.yml,golangci-lint.yml,hotfix-generate.yml,labeler.yaml,pr-lint.yaml,tidy.yaml, etc.). This PR finishes the job by adding scoped permissions to the 11 remaining workflows so none of them implicitly inherit a write-capableGITHUB_TOKEN.The bulk of the changes are
permissions: contents: readbecause the workflows just lint, vet, or test against a checkout:go-test.yml,no-sudo-check.yml,shellcheck.yml,shellspec.yamlvalidate-components.yml,validate-image-version.ymlvalidate-windows-binary-signature.yaml,validate-windows-ut.ymlThree workflows get a different scope because they actually do something with a token:
auto-update.ymlinvokestibdex/auto-update@v2withsecrets.GITHUB_TOKENto refresh PR branches offmain, so it getscontents: write+pull-requests: read.generate-kubelet-flags.yamlperforms its push + PR creation usingsecrets.PERSONAL_ACCESS_TOKEN(an explicit user PAT, not the default token). The defaultGITHUB_TOKENonly needscontents: readfor the checkout; an inline comment was added documenting that.validate-pull-request-source.ymldoesn't even check out the repo; it only inspectsgithub.event.pull_request.head.repo.full_name.permissions: {}(deny all) is the most accurate.Each edited file was validated with
python3 -c "import yaml; yaml.safe_load(...)".